Solved: How to partially join two lookups?

olegr · ‎03-21-2022

Hello,

Looking for a way to partially join 2 inputlookups.

Lookup 1: username, name

jsmith, John
jdoe, Joe

Lookup 2:username,status

jsmith-sa, enabled

I would like to return a match on jsmith to jsmith-sa but have not been able to figure out how to partially join. ie search for jsmith* against lookup2 not for exact matches. The 2nd lookup may have the entire keyword or keyword-something Search returns:

jsmith,jsmith-sa,enabled

olegr · ‎03-22-2022

That did not work for me, but I ended up figuring it out using the following:

| inputlookup lookup1.csv
| rex field=User "^(?<UserShort>.+?)\-suffix"
| eval identity = if(isnull(UserShort), User, UserShort)
| join identity [inputlookup lookup2]
...

View solution in original post

somesoni2 · ‎03-22-2022

Best way would be to setup a wildcard match lookup definition as described in this post (you'll have to modify lookup content which contains partial value i.e. Lookup1 to include wildcard).

https://community.splunk.com/t5/Splunk-Search/Wildcards-in-lookup-file/m-p/292586

olegr · ‎03-22-2022

That did not work for me, but I ended up figuring it out using the following:

| inputlookup lookup1.csv
| rex field=User "^(?<UserShort>.+?)\-suffix"
| eval identity = if(isnull(UserShort), User, UserShort)
| join identity [inputlookup lookup2]
...

How to partially join two lookups?

eval

join

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms