How to find comman value from multiple watchlist

akshayinnamuri · ‎07-13-2022

Hi
below is one of the requirement

I have multiple lookuptable

example

number name lookuptable

1 abc 1stlookuptable

number name lookuptable

1 abc 2ndlookuptable

number name lookuptable

1 dxc 3rdlookuptable

number name lookuptable

1 xyz 4thlookuptable

number name lookuptable

1 abc 5thlookuptable

requirement is how to build query where name=abc (from above example) to shows below table fields stating abc belong to which lookuptable on run

name lookuptable

example out

name lookuptable

abc 1stlookuptable

2ndlookuptable

5thlookuptable

harishalipaka · ‎07-14-2022

@akshayinnamuri

Values - without duplicate , list - with duplicates

| makeresults| eval lookupname="1stlookuptable",name="abc" | table name lookupname
| append [ | makeresults | eval lookupname="2ndlookuptable",name="abc" | table name lookupname ]
| append [ | makeresults | eval lookupname="3rdlookuptable",name="dxc" | table name lookupname ]
| append [ | makeresults| eval lookupname="4thlookuptable",name="xyz" | table name lookupname ]
| append [ | makeresults | eval lookupname="5thlookuptable",name="abc" | table name lookupname ] | stats list(lookupname) AS lookupname BY name

Thanks
Harish

gcusello · ‎07-14-2022

Hi @akshayinnamuri,

please try something like this:

| inputlookup 1stlookuptable | eval lookupname="1stlookuptable" | fields name lookupname
| append [ | inputlookup 2ndlookuptable | eval lookupname="2ndlookuptable" | fields name lookupname ]
| append [ | inputlookup 3rdlookuptable | eval lookupname="3rdlookuptable" | fields name lookupname ]
| append [ | inputlookup 4thlookuptable | eval lookupname="4thlookuptable" | fields name lookupname ]
| append [ | inputlookup 5thlookuptable | eval lookupname="5thlookuptable" | fields name lookupname ]
| stats values(lookupname) AS lookupname BY name

Ciao.

Giuseppe

How to find comman value from multiple watchlist

join

lookup

regex

subsearch

table

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to find comman value from multiple watchlist

Can’t make it to .conf25? Join us online!