Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join multiple lookup table to get result in single table

basics
Explorer
‎11-08-2020 01:10 PM

Hi,

This is the case scenario:

when I run this search query:

index = "global" productID

I get the following result:

{ "productID" : "12",
   "UserID" : "123_username",
   "type" : "web_based"
}, ....

I get 100s of these result with various productID's. Either same productID or different productID but I get the result that has productID in the entire index = "global"

now the above query result have 2 key parameters that is of my interests. They are:

  • productID
  • UserID

Now, I have 2 additional lookup table. They are:

  • Employee_lookup
    • {username, DepartmentName, .... }
    • in the above query result: username == UserID

  • Product_lookup
    • {ProductID, ProductName, ... }
    • in the above query result: ProductID == ProductID

 

now my goal is to have one table that contains all the data, and my end result table will result with these columns:

 

DepartmentName,     ProductID,     ProductName,     UserID
----------------------------------------------------------------------------
Sales,                                 12,                   marketing,             123_username
Business,                          12,                   marketing,              323_username
Business,                          15,                   Online,                      523_username

 

Note that the ProductID and Product name are always same. All we are doing is fetching the ProductID, corresponding ProductName matching the ProductID, and then matching the UserID == Username, and related DepartmentName for the UserID...

basically, I want to search all the ProductID along with its department name, product name, and userID

How do I create a query for such end result? Could someone please help me?

Labels (6)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2020 04:53 PM

Start with your existing search and add a lookup command for each lookup file needed.

index = "global" productID
| lookup Employee_lookup UserID as username OUTPUT DepartmentName
| lookup Product_lookup ProductID OUTPUT ProductName
| table DepartmentName, ProductID, ProductName, UserID
---
If this reply helps you, Karma would be appreciated.
Reply

basics
Explorer
‎11-08-2020 07:48 PM

Hi @richgalloway 

thanks so much. It works! 🙂

one last thing... how would I now group by DepartmentName, ProductID and get the count of each of them...

basically I want to get the count of ProductID by DepartmentName

one department has multiple products, so group by DepartmentName, ProductID, count

The end result would be like this:

{ DepartmentName, ProductName, ProductID, count }

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2020 05:48 AM

Use the stats command to get counts and/or group results.

index = "global" productID
| lookup Employee_lookup UserID as username OUTPUT DepartmentName
| lookup Product_lookup ProductID OUTPUT ProductName
| stats count by DepartmentName, ProductName
| table DepartmentName, ProductName, ProductID, count
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...