Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join my search to a lookup table with more than one field?

ewanbrown
Path Finder
‎12-23-2014 03:22 AM

Hi

I have a search query that I need to join to a lookup table.

I have it joining to this lookup table TestDec14 and working when I look up the NEW_ID field, but I also need to join to the ID_TYPE field

index=test NEW_ID=123 OR NEW_ID= 456

| lookup TestDec14 NEW_ID
| eval new_add=NEW_ID.",".address

| chart count by new_add
| sort count desc

Is this possible? If so do you have any syntax on how I would do this? I've tried a few options but none have worked

Thanks

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

pedromvieira
Communicator
‎12-23-2014 06:16 AM

Yes you can lookup from multiple fields.

The syntax is:

... | lookup YOUR_LOOKUP field1 fieldn OUTPUT column1 columnn

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

In your example it will be:

index=test NEW_ID=123 OR NEW_ID= 456 
| lookup TestDec14 NEW_ID ID_TYPE OUTPUT
| eval new_add=NEW_ID.",".address 
| chart count by new_add 
| sort count desc

View solution in original post

Reply
Solved! Jump to solution
Solution

pedromvieira
Communicator
‎12-23-2014 06:16 AM

Yes you can lookup from multiple fields.

The syntax is:

... | lookup YOUR_LOOKUP field1 fieldn OUTPUT column1 columnn

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

In your example it will be:

index=test NEW_ID=123 OR NEW_ID= 456 
| lookup TestDec14 NEW_ID ID_TYPE OUTPUT
| eval new_add=NEW_ID.",".address 
| chart count by new_add 
| sort count desc
Reply
Solved! Jump to solution

ewanbrown
Path Finder
‎01-20-2015 07:12 AM

Perfect! Thanks (a month after you answered it!!)

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...