Splunk Search

How to lookup?

rvencu
Path Finder

I have a lookup table of IDs like this:
(id)uuid - (myid)numeric id
(id)uuid - (myid)email
(id)email - (myid)numeric id

So the same visitor that I am identifying by uuid later on can be identified by email or by a numeric id. For me the numeric id is most important and the email is second important. So if there is any identification like
(id)uuid - (myid)numeric id
(id)uuid - (myid)email
I want to end up with the numeric id only.

Every record might have uuid, email or numeric id fields. I then want to calculate a field theID by attaching the numeric ID then email only if numeric ID is not existent. In care there is nothing in the lookup table for the uuid then I can leave theID as uuid.

I came up to this formula but it is not correct:
host="myhost" | where id!="" | lookup sp_aliases id OUTPUT myid | eval theId=if(myid!="",myid,id) but this just leave the first myid encountered into the lookup table

I guess I need to convert the lookup table into a new lookup table better preprocessed. I need some suggestions on how to do that.

0 Karma

woodcock
Esteemed Legend

Like this:

host="myhost" | where id!=""
| lookup sp_aliases id OUTPUT myid
| eval numeric=mvfilter(match(myid, "^[^@]+$"))
| eval email=mvfilter(match(myid, "@"))
| eval theId=coalesce(numeric, email, id)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...