Re: Comparison with lookup

bosseres · ‎03-21-2023

Hello everyone,

I have events which contains such fields user1=..., user2=...., user3... etc

And I have lookup which have column "user" where located all users.

gcusello · ‎03-21-2023

Hi @bosseres ,

let me understand: in your events you have many different fields as user1=..., user2=... etc..., is it correct?

how much fields do you have?

are they present in all events or they are only one for each event?

if you have only one field in each event, you could try to search for the content of a lookup where there is a column called "user" containing a list of users, using the coalesce option in the evel command, something lie this:

<your_search>
| eval user=coalesce(user1,user2,user3)
| search [ | inputlookup your_lookup.csv | fields user ]
| ...

Ciao.

Giuseppe

bosseres · ‎03-21-2023

nono, I have many different such fields

gcusello · ‎03-21-2023

Hi @bosseres ,

if you have many fields in the same event, you have to search using the lookup for each field.

Ot there could be a workaround:

<your_search> [ | inputlookup your_lookup.csv | rename user AS query | fields query ]
| ...

Ciao.

Giuseppe

How to do a comparison with lookup?

stats

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!