Solved: Lookup for a value in two lookup table columns?

Hisham · ‎11-07-2022

Hi,

I have generated a search which return list of hosts and the count of events for these host. sometime the host values returned as IP Address and others as Host Name. I have a lookup table which contains a list of all IP Addresses and Host Names in addition to other metadata information.

so the result of the search is something like :

Host1 100

192.168.0.2 110

Host3 120

and the lookup table something like:

Host1 192.168.0.1 App1 Owner1

Host2 192.168.0.2 App2 Owner2

Host3 192.168.0.3 App3 Owner3

I need to lookup for host value (IP or Server Name) returned in the search result and return all the metadata associated with that value.

johnhuang · ‎11-07-2022

You can do the lookup twice. Either of these should work:

| lookup lookup_name host AS host OUTPUT app AS app_1 owner AS owner_1
| lookup lookup_name ip AS host OUTPUT app AS app_2 owner AS owner_2
| eval app=COALESCE(app_1, app_2)
| eval owner=COALESCE(owner_1, owner_2)

| lookup lookup_name host AS host OUTPUTNEW app owner
| lookup lookup_name ip AS host OUTPUTNEW app owner

View solution in original post

johnhuang · ‎11-07-2022

You can do the lookup twice. Either of these should work:

| lookup lookup_name host AS host OUTPUT app AS app_1 owner AS owner_1
| lookup lookup_name ip AS host OUTPUT app AS app_2 owner AS owner_2
| eval app=COALESCE(app_1, app_2)
| eval owner=COALESCE(owner_1, owner_2)

| lookup lookup_name host AS host OUTPUTNEW app owner
| lookup lookup_name ip AS host OUTPUTNEW app owner

Lookup for a value in two lookup table columns?

lookup

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)