Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replace values without using a join

robertlynch2020
Influencer
‎07-26-2017 05:39 AM

I am using a join, but is there a better way to replace values?

I have the following table. (NICKNAME + Human_Name_Nickname are the headers)

NICKNAME    Human_Name_Nickname
mx  MX_BASIC
smcrisk_engine  RISK_ENGINE
mxtraderepository_engine    MX_TRADE_REPO_ENGINE
smcobjectrepository_engine  SM_ENGINE
mxmlexchange_mxtaskxa   MXMLEXCHANGE
mxdealscanner_engine    DEAL_SCANNER
mx_cesar    CESAR
mx_marketdata_repository_engine MARKET_DATA
mxprocessingscript  PROCESSING_SCRIPT

I am retriving back thousands of lines of data with NICKNAME, i want to replace values from the lookup table.
E.G find "mx" and replace it with "MX_BASIC" etc.. so lots of entries. Then find "smcrisk_engine" and replace it with "RISK_ENGINE" if no match use the original value.

This is what i have- But i have been told not to use joins...can i do this better?

| join  NICKNAME type=left [inputlookup TEST_MXTIMING_NICKNAME.csv  ] | fillnull Human_Name_Nickname | eval Human_Name_Nickname=if(Human_Name_Nickname=0,$$NICKNAME$$,Human_Name_Nickname) | rename Human_Name_Nickname AS NICKNAME.

This works, but i am concerned of performance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-26-2017 07:08 AM

Instead do this:

... | lookup TEST_MXTIMING_NICKNAME NICKNAME
| eval NICKNAME=coalesce(Human_Name_Nickname, NICKNAME)
| fields - Human_Name_Nickname

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-26-2017 07:08 AM

Instead do this:

... | lookup TEST_MXTIMING_NICKNAME NICKNAME
| eval NICKNAME=coalesce(Human_Name_Nickname, NICKNAME)
| fields - Human_Name_Nickname
0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎07-27-2017 03:44 AM

Brill - Cheers 🙂

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-26-2017 06:01 AM

Hi robertlynch2020,
lookup command is a left join so you can write something like this

your_search
| lookup TEST_MXTIMING_NICKNAME.csv NICKNAME OUTPUT other_lookup_fields
| ...

if the NICKNAME field is different between search and lookup, you can write

your_search
| lookup TEST_MXTIMING_NICKNAME.csv NICKNAME AS different_NICK_NAME OUTPUT other_lookup_fields
| ...

Bye.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-26-2017 06:00 AM

Joins do not perform well so it's a good idea to avoid them. What you are trying to do seem pretty straightforward and can easily be done without a join.

<your search that returns events with NICKNAME field> | lookup TEST_MXTIMING_NICKNAME.csv NICKNAME OUTPUT Human_Name_Nickname | eval NICKNAME=coalesce(Human_Name_Nickname,NICKNAME) | ...

This query searches the lookup file for the given NICKNAME and returns the associates Human_Name_Nickname. The coalesce statement sets NICKNAME to the value if Human_Name_Nickname if it is not null, otherwise it's set to itself.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...