Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join my search to a lookup table with more than one field?

ewanbrown
Path Finder
‎12-23-2014 03:22 AM

Hi

I have a search query that I need to join to a lookup table.

I have it joining to this lookup table TestDec14 and working when I look up the NEW_ID field, but I also need to join to the ID_TYPE field

index=test NEW_ID=123 OR NEW_ID= 456

| lookup TestDec14 NEW_ID
| eval new_add=NEW_ID.",".address

| chart count by new_add
| sort count desc

Is this possible? If so do you have any syntax on how I would do this? I've tried a few options but none have worked

Thanks

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

pedromvieira
Communicator
‎12-23-2014 06:16 AM

Yes you can lookup from multiple fields.

The syntax is:

... | lookup YOUR_LOOKUP field1 fieldn OUTPUT column1 columnn

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

In your example it will be:

index=test NEW_ID=123 OR NEW_ID= 456 
| lookup TestDec14 NEW_ID ID_TYPE OUTPUT
| eval new_add=NEW_ID.",".address 
| chart count by new_add 
| sort count desc

View solution in original post

Reply
Solved! Jump to solution
Solution

pedromvieira
Communicator
‎12-23-2014 06:16 AM

Yes you can lookup from multiple fields.

The syntax is:

... | lookup YOUR_LOOKUP field1 fieldn OUTPUT column1 columnn

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

In your example it will be:

index=test NEW_ID=123 OR NEW_ID= 456 
| lookup TestDec14 NEW_ID ID_TYPE OUTPUT
| eval new_add=NEW_ID.",".address 
| chart count by new_add 
| sort count desc
Reply
Solved! Jump to solution

ewanbrown
Path Finder
‎01-20-2015 07:12 AM

Perfect! Thanks (a month after you answered it!!)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...