Re: How to find comman value from multiple watchli...

akshayinnamuri · ‎07-13-2022

Hi
below is one of the requirement

I have multiple lookuptable

example

number name lookuptable

1 abc 1stlookuptable

number name lookuptable

1 abc 2ndlookuptable

number name lookuptable

1 dxc 3rdlookuptable

number name lookuptable

1 xyz 4thlookuptable

number name lookuptable

1 abc 5thlookuptable

requirement is how to build query where name=abc (from above example) to shows below table fields stating abc belong to which lookuptable on run

name lookuptable

example out

name lookuptable

abc 1stlookuptable

2ndlookuptable

5thlookuptable

harishalipaka · ‎07-14-2022

@akshayinnamuri

Values - without duplicate , list - with duplicates

| makeresults| eval lookupname="1stlookuptable",name="abc" | table name lookupname
| append [ | makeresults | eval lookupname="2ndlookuptable",name="abc" | table name lookupname ]
| append [ | makeresults | eval lookupname="3rdlookuptable",name="dxc" | table name lookupname ]
| append [ | makeresults| eval lookupname="4thlookuptable",name="xyz" | table name lookupname ]
| append [ | makeresults | eval lookupname="5thlookuptable",name="abc" | table name lookupname ] | stats list(lookupname) AS lookupname BY name

Thanks
Harish

gcusello · ‎07-14-2022

Hi @akshayinnamuri,

please try something like this:

| inputlookup 1stlookuptable | eval lookupname="1stlookuptable" | fields name lookupname
| append [ | inputlookup 2ndlookuptable | eval lookupname="2ndlookuptable" | fields name lookupname ]
| append [ | inputlookup 3rdlookuptable | eval lookupname="3rdlookuptable" | fields name lookupname ]
| append [ | inputlookup 4thlookuptable | eval lookupname="4thlookuptable" | fields name lookupname ]
| append [ | inputlookup 5thlookuptable | eval lookupname="5thlookuptable" | fields name lookupname ]
| stats values(lookupname) AS lookupname BY name

Ciao.

Giuseppe

How to find comman value from multiple watchlist

join

lookup

regex

subsearch

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation

How to find comman value from multiple watchlist

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.