Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use 2 columns in one join search

Eyal
Path Finder
‎10-23-2023 03:41 AM

Hi,

I have a query that trigger when a user has been added to a specific types of groups.

The query depends on lookup with 2 columns inside (one for group_name, Another for Severity).

I want to find any event of adding to one of the monitored groups, But also to enrich my final table with the severity right next to the group_name.

I have tried to resolve this using:

| join type=left group_name
[| inputlookup my_list.csv]
| where isnotnull(Severity)

But somehow only 2 groups with low severity is being found even though all the groups in the list has its own severity.

How can I managed to make my table show the group with its severity?

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2023 04:58 AM

Hi @Eyal,

for joinining a lookup you don't need the join command that anyway shoud be avoided all the times and used only when there isn't any other solution.

You can use the lookup command that's a left join, something like this:

<your_search>
| lookup my_list.csv group_name OUTPUT Severity
| where isnotnull(Severity)

if the field to use gor joining is different beteen the main swarch and the lookup, you can use AS.

for more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Lookup

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Eyal
Path Finder
‎10-25-2023 01:08 AM

Hi Giuseppe thank you for your help it worked 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2023 04:58 AM

Hi @Eyal,

for joinining a lookup you don't need the join command that anyway shoud be avoided all the times and used only when there isn't any other solution.

You can use the lookup command that's a left join, something like this:

<your_search>
| lookup my_list.csv group_name OUTPUT Severity
| where isnotnull(Severity)

if the field to use gor joining is different beteen the main swarch and the lookup, you can use AS.

for more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Lookup

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...