Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Lookup command to both filter and append new fields

matthewb4
Path Finder
‎11-06-2017 09:51 AM

How do I use lookup command to filter events based on one of the fields but then just add the rest of the fields to the remaining events? For example, I want the events in my base search to be filtered by values that match field1 in the lookup file. But then I just want the field2 and field3 values from the lookup file to be added to the remaining events since these two fields don't exist in the base events.

how would i modify the below query so that it's not filtering by field2 and field3 as well but simply appending these values to the remaining events?

base search ... [|inputlookup partner.csv | fields field1 field2 field3 ]

0 Karma
Reply

starcher
Influencer
‎11-06-2017 10:07 AM

That is a simple application of the lookup.

base search | lookup myLookup field1 OUTPUTNEW

Reply

elliotproebstel
Champion
‎11-06-2017 10:07 AM

Here are two ways to do this. Try both and see which is faster for your data sets:

base search [ | inputlookup partner.csv | fields field1 ] | lookup partner.csv field1 OUTPUT field2 field3

OR

base search | lookup partner.csv field1 OUTPUT field2 field3 | where isnotnull(field2) OR isnotnull(field3)

I'd expect the first option to work well if the size of your CSV is quite small compared to the number of events being searched in the base search. If the CSV is quite large and the base search alone does not return that many events, then the second might be faster.

Reply

starcher
Influencer
‎11-06-2017 10:08 AM

I agree with the use of isnotnull if you want only events that had the returned values from the lookup.

0 Karma
Reply

starcher
Influencer
‎11-06-2017 09:56 AM

But by what field are you wanting to lookup the remaining fields?

0 Karma
Reply

matthewb4
Path Finder
‎11-06-2017 10:02 AM

field1? if field1 value matches a value in the base search events, then I would want field2 and field3 from the corresponding row in lookup table to be added to this event

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...