Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to perform a join on a field from source1 to one or another field in source2 based on the source1 field value?

splunkin11
Path Finder
‎10-13-2016 02:01 PM

I'm trying to join information from a metadata search to a lookup file. It works using a subsearch such as this:

| metadata type=hosts index= | join type=left host [|inputlookup myfile.csv |rename fieldx as host]

My metadata host field may contain an IP or a name. My lookup file contains two fields - one with the IP and another with the hostname. Can I join the two files so that if the metadata host field is an IP it joins the lookup file based on the IP field and when the metadata host field contains a hostname it joins based on the hostname field?

I can do this by running two different searches - one join for IP and one join for hostname and combine the two results in a dashboard, but I was wondering if I could join the records based on either value of the host field in one search.

Any input is greatly appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-13-2016 02:57 PM

Try like this. Assuming your lookup has fields host, IP, field1, field2... where field1, field2 are the fields that you want to return.

| metadata type=hosts index=* 
| lookup myfile.csv  hostfield as host OUTPUT field1 as field1_host field2 as field2_host 
| lookup myfile.csv  IPfield  as host OUTPUT field1 as field1_IP field2 as field2_IP
| eval field1=coalesce(field1_host, field1_IP) 
| eval field2=coalesce(field2_host, field2_IP) 
| table host field1 field2

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-13-2016 02:57 PM

Try like this. Assuming your lookup has fields host, IP, field1, field2... where field1, field2 are the fields that you want to return.

| metadata type=hosts index=* 
| lookup myfile.csv  hostfield as host OUTPUT field1 as field1_host field2 as field2_host 
| lookup myfile.csv  IPfield  as host OUTPUT field1 as field1_IP field2 as field2_IP
| eval field1=coalesce(field1_host, field1_IP) 
| eval field2=coalesce(field2_host, field2_IP) 
| table host field1 field2
0 Karma
Reply
Solved! Jump to solution

splunkin11
Path Finder
‎10-14-2016 06:37 AM

Works great - thanks!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-13-2016 03:01 PM

Another crude method (not recommended as joins are expensive and here it can be avoided, putting here just for reference).

| metadata type=hosts index=* | join type=left host [|inputlookup myfile.csv |eval host=mvappend(hostfield,IPfield) | mvexpand host ]
0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-13-2016 02:49 PM

Could you try |join type=left host IP ?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-13-2016 02:58 PM

This will not work as the metadata command result doesn't have both the fields (host and IP)

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top