Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to prevent results from an input file being excluded after performing a lookup against another input

ezmo1982
Path Finder
‎02-04-2021 09:45 AM

Hi,

I have the following search:

| inputlookup ldap_assets.csv
| lookup existing_assets dns output ip bunit category city country owner priority
| outputlookup create_empty=false createinapp=true override_if_empty=false merged_assets.csv

The 'ldap_assets.csv' contains a list of assets and their attributes. The search then does a lookup command on 'existing_assets' lookup which contains other asset attributes (a manually created list).  The search then outputs results to a merged_assets.csv. 

The problem im having is that if a record exists in existing_assets, but it doesnt exist in ldap_assets.csv, it is being excluded from results of the outputlookup command. I would like those existing records to still be included in the merged_assets.csv file. So basically I want the two files to merge without any exclusions after the lookup.

Can somebody provide assistance on where on going wrong?

Thanks. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-04-2021 11:42 AM

Hi @ezmo1982,

Please try below;

| inputlookup ldap_assets.csv 
| append 
    [| inputlookup existing_assets] 
| outputlookup create_empty=false createinapp=true override_if_empty=false merged_assets.csv
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

ezmo1982
Path Finder
‎02-05-2021 08:17 AM

Thanks. There are some duplicates in there so i added a dedup command and now i have the results i need.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎02-04-2021 06:20 PM

 

@ezmo1982 

Load the two files with two inputlookups, then merge the two data sets using stats values  grouping by the lookup fields.

| inputlookup ldap_assets.csv
| append [
  | inputlookup existing_assets
]
| stats values(*) as * by dns output ip bunit category city country owner priority
| outputlookup create_empty=false createinapp=true override_if_empty=false merged_assets.csv

 should do the trick

 

Reply
Solved! Jump to solution

ezmo1982
Path Finder
‎02-05-2021 08:16 AM

Thanks. Seems like the stats command is resulting in zero records. But turns out i dont need it. 

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-04-2021 11:42 AM

Hi @ezmo1982,

Please try below;

| inputlookup ldap_assets.csv 
| append 
    [| inputlookup existing_assets] 
| outputlookup create_empty=false createinapp=true override_if_empty=false merged_assets.csv
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...