Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Join 2 lookups match fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am looking to join 2 lookups and match the field "AccountName" from lookup1 with user field in lookup 2.
I have 269 results in lookup 1 and 250 results in lookup 2.
When I match the fields and join the lookups I lose the 19 results that dont have a match.
How can I do this a keep the 19 results so I can manually update these
TIA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello nathanluke86!
If you want to get the results from both lookups, try something like this:
| inputlookup lookup1.csv
| append
[|inputlookup lookup2.csv]
then to get only one row per user, you could add something like this to the end:
| stats values(*) as * by user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please tell us more about the problem you are trying to solve so we can help you find a solution.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway
basically I want to join two lookups and combine the fields from both by matching on a user field
lookup1 has fields user, ip, mac
lookup2 has fields user, workstation, guid, sid
I want to match the user field and then create a new lookup as below:
lookup with fields user, ip, mac, workstation, guid, sid.
I can join these by using |eval matchfield user but when I do this I lose 19 results from lookup1 as there is no user match in lookup2
lookup1 has 269 users
lookup2 has 250 users (missing 19 users)
I need to create the new lookup but also keep the 19 users that were not matched.
hope that makes sense
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello nathanluke86!
If you want to get the results from both lookups, try something like this:
| inputlookup lookup1.csv
| append
[|inputlookup lookup2.csv]
then to get only one row per user, you could add something like this to the end:
| stats values(*) as * by user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @acfecondo75
used the above but changed append to appendcols
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
