Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

I need help working with a Lookup Table...

TorbinIT
Path Finder
‎09-06-2023 06:54 AM

Hello again!

I'm working with two different sources of data both tracking the same thing but coming from different sources. I need to consolidate them into one single Splunk search, so I decided to turn one of the two sources of data into a lookup table for the other.

Right now the lookup table I'm using has 3 Fields in it: HostName, Domain, and Tanium.

What I'd like to do is load the 3 fields from this Lookup into my Splunk Search so that:

1) the HostName field from the lookup is merged with the HostName field in the search, with unique HostName values from the search and the lookup both available in the final output, but also that if there's duplicate values for HostName, they're merged together.

2) The Domain and Tanium values from the Lookup are loaded into their corresponding entries in the final output.

Is this possible? I believe it should be if I use the command:

| lookup WinrarTaniumLookup.csv HostName OUTPUT Tanium Domain

But when I put in that command it doesn't appear to be adding any unique HostName values from the Lookup, just merging the HostName values that both the lookup and the search share. 

What am I doing wrong here?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-06-2023 07:06 AM

Try something like this

<search>
| append
  [| inputlookup WinrarTaniumLookup.csv]
| stats values(*) as * by HostName

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-06-2023 07:06 AM

Try something like this

<search>
| append
  [| inputlookup WinrarTaniumLookup.csv]
| stats values(*) as * by HostName
Reply
Solved! Jump to solution

TorbinIT
Path Finder
‎09-06-2023 07:27 AM

That worked, thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...