Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to do a comparison with lookup?

bosseres
Contributor
‎03-21-2023 05:20 AM

Hello everyone, 

I have events which contains such fields user1=..., user2=...., user3... etc

And I have lookup which have column "user" where located all users.

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2023 06:17 AM

Hi @bosseres ,

let me understand: in your events you have many different fields as user1=..., user2=... etc..., is it correct?

how much fields do you have?

are they present in all events or they are only one for each event?

if you have only one field in each event, you could try to search for the content of a lookup where there is a column called "user" containing a list of users, using the coalesce option in the evel command, something lie this:

<your_search>
| eval user=coalesce(user1,user2,user3)
| search [ | inputlookup your_lookup.csv | fields user ]
| ...

Ciao.

Giuseppe

Reply

bosseres
Contributor
‎03-21-2023 06:23 AM

nono, I have many different such fields

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2023 06:39 AM

Hi @bosseres ,

if you have many fields in the same event, you have to search using the lookup for each field.

Ot there could be a workaround:

<your_search> [ | inputlookup your_lookup.csv | rename user AS query | fields query ]
| ...

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...