Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Lookup for a value in two lookup table columns?

Hisham
Engager
‎11-07-2022 07:51 AM

Hi,

I have generated a search which return list of hosts and the count of events for these host. sometime the host values returned as IP Address and others as Host Name. I have a lookup table which contains a list of all IP Addresses and Host Names in addition to other metadata information.

so the result of the search is something like :

Host1                     100

192.168.0.2         110

Host3                      120

 

and the lookup table something like:

Host1        192.168.0.1         App1         Owner1

Host2        192.168.0.2         App2         Owner2

Host3        192.168.0.3         App3         Owner3

 

I need to lookup for host value (IP or Server Name) returned in the search result and return all the metadata associated with that value.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

johnhuang
Motivator
‎11-07-2022 08:06 AM

You can do the lookup twice. Either of these should work: 

 

| lookup lookup_name host AS host OUTPUT app AS app_1 owner AS owner_1
| lookup lookup_name ip AS host OUTPUT app AS app_2 owner AS owner_2
| eval app=COALESCE(app_1, app_2)
| eval owner=COALESCE(owner_1, owner_2)

 

| lookup lookup_name host AS host OUTPUTNEW app owner
| lookup lookup_name ip AS host OUTPUTNEW app owner

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

johnhuang
Motivator
‎11-07-2022 08:06 AM

You can do the lookup twice. Either of these should work: 

 

| lookup lookup_name host AS host OUTPUT app AS app_1 owner AS owner_1
| lookup lookup_name ip AS host OUTPUT app AS app_2 owner AS owner_2
| eval app=COALESCE(app_1, app_2)
| eval owner=COALESCE(owner_1, owner_2)

 

| lookup lookup_name host AS host OUTPUTNEW app owner
| lookup lookup_name ip AS host OUTPUTNEW app owner

 

 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...