Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup for a value in two lookup table columns?

Hisham
Engager
‎11-07-2022 07:51 AM

Hi,

I have generated a search which return list of hosts and the count of events for these host. sometime the host values returned as IP Address and others as Host Name. I have a lookup table which contains a list of all IP Addresses and Host Names in addition to other metadata information.

so the result of the search is something like :

Host1                     100

192.168.0.2         110

Host3                      120

 

and the lookup table something like:

Host1        192.168.0.1         App1         Owner1

Host2        192.168.0.2         App2         Owner2

Host3        192.168.0.3         App3         Owner3

 

I need to lookup for host value (IP or Server Name) returned in the search result and return all the metadata associated with that value.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

johnhuang
Motivator
‎11-07-2022 08:06 AM

You can do the lookup twice. Either of these should work: 

 

| lookup lookup_name host AS host OUTPUT app AS app_1 owner AS owner_1
| lookup lookup_name ip AS host OUTPUT app AS app_2 owner AS owner_2
| eval app=COALESCE(app_1, app_2)
| eval owner=COALESCE(owner_1, owner_2)

 

| lookup lookup_name host AS host OUTPUTNEW app owner
| lookup lookup_name ip AS host OUTPUTNEW app owner

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

johnhuang
Motivator
‎11-07-2022 08:06 AM

You can do the lookup twice. Either of these should work: 

 

| lookup lookup_name host AS host OUTPUT app AS app_1 owner AS owner_1
| lookup lookup_name ip AS host OUTPUT app AS app_2 owner AS owner_2
| eval app=COALESCE(app_1, app_2)
| eval owner=COALESCE(owner_1, owner_2)

 

| lookup lookup_name host AS host OUTPUTNEW app owner
| lookup lookup_name ip AS host OUTPUTNEW app owner

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...