Splunk Search

How to write a search to join the data from four lookups on a unique field?

cadence_asif
Observer

Hello Experts,

Can you please help me with a search to join these four lookups on login (unique field). Lookups LOOKUP_A.CSV, LOOKUP_B.CSV, LOOKUP_C.CSV need to be joined to MASTER_lookup to form a RESULT_LOOKUP.

Appreciate your help with this.

Please check the source lookups and resultingdesired lookup. (attachment/inline image)

alt text

0 Karma

subtrakt
Contributor

Another option?

| inputlookup  MASTER_LOOKUP.CSV | inputlookup LOOKUP_A.CSV append=t | inputlookup LOOKUP_B.CSV  append=t | inputlookup LOOKUP_C.CSV  append=t | outputlookup RESULT_LOOKUP.csv
0 Karma

javiergn
Super Champion

What about this?

| inputcsv MASTER_LOOKUP.csv
| join type=left login [| inputcsv LOOKUP_A.csv]
| join type=left login [| inputcsv LOOKUP_B.csv]
| join type=left login [| inputcsv LOOKUP_C.csv]
| outputcsv RESULT_LOOKUP.csv
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...