Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get all possible entries from two lookups?

splunkrocks2014
Communicator
‎10-17-2016 04:07 PM

How to get all possible entries from two lookups? For instance, lookup_1 and lookup_2

lookup_1

    application
    =========
    app1
    app2
    app3

lookup_2

    service      link      
    ======     ==============
    s1              link1
    s1              link2
    s2              link3

And the end result should be:

lookup_3

application     service        link
==========      ======       ====================
app1                s1                link1
app1                s1                link2
app1                s2                link3
app2                s1                link1
app2                s1                link2
app2                s2                link3
app3                s1                link1
app3                s1                link2
app3                s2                link3
Reply
1 Solution
Solved! Jump to solution
Solution

lquinn
Contributor
‎10-17-2016 05:24 PM

Give this a go ...

| inputlookup csv1.csv | append [|inputlookup csv2.csv] | eventstats values(application) AS application | search link=* | mvexpand application

View solution in original post

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎10-17-2016 07:26 PM

There's a weird way to do this without using either the join or the append command. Posting it as an answer partly because it's fun, partly because join and append are.... evil? If you're doing lookups that only have a small number of rows join and append answers are probably the right answers though.

Anyway, here it is. 

| inputlookup lookup_1 | inputlookup lookup_2 append=t | eventstats values(application) as applications | search service=* OR link=* | mvexpand applications | rename applications as application

the append=t option on the inputlookup command is better to use than the more generic append command, in particular I believe it has no limit on number of rows being appended (append and join will throw away rows after 50K).
The funny looking eventstats command is going to put a multivalue field called "applications" on every row in the entire result set, where the multivalue values are each all of the values of application. The search clause then throws away the actual "lookup_1" rows that we had. Lastly we mvexpand and rename, and the net result is what you need - the sort-of cross-product of the two lookups.

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎10-17-2016 05:34 PM

maybe use join to put them together by creating a common field for each search.

| inputlookup app_lookup.csv | eval join_field="temp" | join join_field max=0 [|inputlookup link_lookup.csv | eval join_field="temp"] | fields - join_field
0 Karma
Reply
Solved! Jump to solution
Solution

lquinn
Contributor
‎10-17-2016 05:24 PM

Give this a go ...

| inputlookup csv1.csv | append [|inputlookup csv2.csv] | eventstats values(application) AS application | search link=* | mvexpand application
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...