Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use lookup in subsearch with join

twh1
Communicator
‎07-04-2019 09:13 PM

I have requirement to print product details in a table. where i am getting some value from the log and some i have print based on matching product code from lookup table.

I tried below query and I am getting result in proper format.

| inputlookup PROC_DETAIL | table PROC_CODE PROC_NAME PROC_PARA PROC_TYPE | join PROC_CODE [ search index="test_data" sourcetype="test:data" | table TIMESTAMP SID PROC_CODE PROC_VALUE SYS_NAME ] | fields TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE

But when I am expanding time range to see more data, my result count is remaining same, as I am matching the value from lookup table. I want to main my log data as main search and for each event, i want value of PROC_NAME PROC_PARA PROC_TYPE should come from lookup table based on matching PROC_CODE.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-05-2019 12:58 AM

Hi twh1,
if you put a search in subsearch, you have the limit of 50,000 results, so expanding the time range you don't have additional results.
Anyway, the lookup command is like a join command so, rebuild your search inverting the terms.
In addition, you don't need to use the table command in intermediate part of the search.
In other words, try something like this:

index="test_data" sourcetype="test:data" 
| lookup PROC_DETAIL PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE 
| table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE

beware that the key field PROC_CODE must be the same in search and lookup (and it's case sensitive), if it's different, add the option PROC_CODE AS other_PROC_CODE.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-05-2019 05:03 PM

Try this:

index="test_data" sourcetype="test:data"
| lookup PROC_DETAIL PROC_CODE OUTPUT PROC_NAME PROC_PARA PROC_TYPE
0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎07-05-2019 05:15 AM

@twh1

I would suggest you two ways here:
1. Use automatic lookup based where for sourcetype="test:data"
in input fields you can mention PROC_CODE and if you want fields from lookup them you can use field value override option.
By using that the fields will be automatically will be available in search
like 

 index="test_data" sourcetype="test:data"   | table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE

  1. Other way is using lookup as suggested by @gcusello in comments:
    like

    index="test_data" sourcetype="test:data"
    | lookup PROC_CODE as PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE
    | table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-05-2019 12:58 AM

Hi twh1,
if you put a search in subsearch, you have the limit of 50,000 results, so expanding the time range you don't have additional results.
Anyway, the lookup command is like a join command so, rebuild your search inverting the terms.
In addition, you don't need to use the table command in intermediate part of the search.
In other words, try something like this:

index="test_data" sourcetype="test:data" 
| lookup PROC_DETAIL PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE 
| table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE

beware that the key field PROC_CODE must be the same in search and lookup (and it's case sensitive), if it's different, add the option PROC_CODE AS other_PROC_CODE.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

twh1
Communicator
‎07-05-2019 11:49 AM

Thanks @gcusello , it helped me alot.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...