How to marry lookup table and index data? - Splunk Community

Splunk Search

Hello Champs

I've index data table

change records errors

B221205A	109	0
B221205B	1480	0
B221205C	3336	0
B221205D	2581	8

I also have lookup table that contains

File_name Remote_file records

$APPLXYZ.C221205A	/APPLABC/B123/OUT/C221205A	109
$APPLXYZ.C221205D	/APPLABC/B123/OUT/C221205D	2581
$APPLXYZ.C221205C	/APPLABC/B123/OUT/C221205C	3336
/APPLABC/B123	/APPLABC/B123/OUT/C221205B	1480

I am looking for the result

File_name	Remote_file	records	change	errors
$APPLXYZ.C221205A	/APPLABC/B123/OUT/C221205A	109	B221205A	0
$APPLXYZ.C221205D	/APPLABC/B123/OUT/C221205D	2581	B221205B	0
$APPLXYZ.C221205C	/APPLABC/B123/OUT/C221205C	3336	B221205C	0
/APPLABC/B123	/APPLABC/B123/OUT/C221205B	1480	B221205D	8

Hi @splunklearner99,

you should explore the lookup command (https://docs.splunk.com/Documentation/Splunk/9.0.2/SearchReference/Lookup)

anyway, please try this:

index=your_index
| lookup your_lookup.csv records OUTPUT File_name Remote_file
| table File_name Remote_file records change errors

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...