Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pass lookup table to search?

Try_harder
New Member
‎02-28-2022 02:43 PM

Hello Team, 

I have a lookup table with 1000 employees data into it, like email, id and other 
I have an search which also produces the same result like employee email, id, and status 
I want to combine both of them so my search produces data only for employees who are in lookup table 
I tried passing lookup but its fetching all data 

 

this is what I am using "EmployeeEmail is an term in lookup table"
index=Employeedata sourcetype=data
|lookup InT_EM as EmployeeEmail
|table EmployeeEmail, status

 

Labels (3)
Labels
Tags (2)
0 Karma
Reply

Try_harder
New Member
‎03-16-2022 02:14 PM

May be I should Reprhase the question
so I have one index which has all Employeedata like email, status, id, region etc. (index=employeedata)
I have a lookup table which has the data in this formate (table)

idEmployeeEmaillaptopnamblahblah
A1234a@gmail.com000
A1233b@gmail.com000
A1235c@gmail.com000

 

I want to get the information of all employees listed in this table from index=employeedata, for that, I am using

index=employeedata sourcetype=ldap
| lookup table employeeemail as email
| table email, status, id, region

but the results are inconclusive, 
can someone please see what is wrong with this. 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-17-2022 01:59 AM
index=employeedata sourcetype=ldap

| lookup table employeeemail as email
| table email, status, id, region

First of all, your illustrated lookup table contains a stylized column name "EmployeeEmail" but the above code uses all-lowercase "employeeemail".  This doesn't match anything.  Second, even if corrected for column name spelling, command lookup gives you extra fields with matching entries but does not remove events that contain no match.

To limit output, use where on a field that exists in the table but not in original events, e.g.,

index=employeedata sourcetype=ldap
| lookup table EmployeeEmail as email
| where isnotnull(laptopnam)
| table email, status, id, region

On the other hand, I would recommend not to use email as lookup criteria because id, which exists in both raw events and lookup table, is perhaps more unique?

index=employeedata sourcetype=ldap
| lookup table id
| where isnotnull(laptopnam)
| table email, status, id, region
0 Karma
Reply

Try_harder
New Member
‎03-16-2022 01:43 PM

I used the same. no results

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-28-2022 08:54 PM

Suppose your lookup outputs a field EmployeeName, you go

index=Employeedata sourcetype=data
|lookup InT_EM as EmployeeEmail
|table EmployeeEmail, status
|where isnotnull(EmployeeName)
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...