Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to limit the results of one lookup with a second lookup?

mistydennis
Communicator
‎08-22-2022 01:34 PM

Hi all - I am trying to take one lookup and limit its results with another lookup.  I can kinda get it to work with my current SPL, but it's taking a long time to run and the results don't come out as expected. Here's what I have so far:

 

| inputlookup my_kvstore 
| lookup my_lookup lookupfield_1 AS kvstorefield_1 OUTPUT lookupfield_1 
| lookup my_kvstore kvstorefield_1 AS lookupfield_1 OUTPUT kvstorefield_2, kvstorefield_3, kvstorefield_4, kvstorefield_5 
| WHERE kvstorefield_1=lookupfield_1

 

 

Results:

kvstorefield_1 kvstorefield_2 kvstorefield_3 kvstorefield_4 kvstorefield_5 lookupfield_1

2016

2016

centos

centos

linux

linux

web

web

workstation1

workstation2

2016

2016

2017

2017

2017

apache

apache

apache

tomcat

tomcat

tomcat

http

http

http

server1

server2

server3

2017

2017

2017

 

1. Is my search formed correctly? 
2. How do I get each of the events to come out in their own row instead of being grouped into one line based on the matching kvstorefield/lookupfield?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-22-2022 04:18 PM

If I understand the example correctly, kv store lookup contains data set 1 and you want to only select rows where a row also exists in your second lookup. 

Seems to me that you already have kvstorefield_ fields 2-5 from the inputlookup on your first line, so the lookup on line 2 will simply validate if it contains kvstorefield_1. I believe your line 3 and 4 can just be replaced with 

| where isnotnull(lookupfield_1)

which will say 'if kvstorefield_1 is NOT in lookup, then ignore'.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-22-2022 04:18 PM

If I understand the example correctly, kv store lookup contains data set 1 and you want to only select rows where a row also exists in your second lookup. 

Seems to me that you already have kvstorefield_ fields 2-5 from the inputlookup on your first line, so the lookup on line 2 will simply validate if it contains kvstorefield_1. I believe your line 3 and 4 can just be replaced with 

| where isnotnull(lookupfield_1)

which will say 'if kvstorefield_1 is NOT in lookup, then ignore'.

 

0 Karma
Reply
Solved! Jump to solution

mistydennis
Communicator
‎08-23-2022 07:04 AM

I had a feeling I was overcomplicating it - thank you so much!

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-22-2022 04:25 PM

not sure what your second lookup is containing, but if you have multiple matches for the lookup field (2016/2017), then you will get multiple results in the same row, so when you re-lookup the data, it will create multiple values in the final table.

If you remove the second lookup, which appears unnecessary, then your result should look better.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...