Solved: Re: Lookup help: Replace column result with value ...

96nick · ‎01-31-2022

Hey Splunkers. Quick question regarding my lookup. I have the Identity lookup with ES and I'd like to replace the 'priority' column value with the value in a separate lookup.

For example, my (abbreviated) identity lookup looks like this:

identity prefix   nick     priority
------   ------  -------   ---------
asmith (blank) Adam Smith   medium
cjean  (blank) Carol Jean   medium
bjean  (blank) Billy Jean   medium

I'd like to replace the priority value 'medium' in the above lookup with the value that matches my separate lookup that looks like:

identity      priority
------       ---------
asmith          high
cjean           low

So the original lookup would look like:

identity prefix   nick     priority
------   ------  -------   ---------
asmith (blank) Adam Smith  high
cjean  (blank) Carol Jean  low
bjean  (blank) Billy Jean  medium

I'm having trouble getting started on the search. How would I do this so that matches are updated but if no match is present than keep the original value? Thanks!

bmatlock_splunk · ‎02-01-2022

| inputlookup firstlookup
| join type=left identity
    [| inputlookup secondlookup ]

This will accomplish what you are trying to do. If secondlookup doesn't have a priority then the priority from firstlookup will be present. If you want to ignore the initial priorty complete in firstlookup just do:

| inputlookup firstlookup
| fields - priority
| join type=left identity
    [| inputlookup secondlookup ]

View solution in original post

bmatlock_splunk · ‎02-01-2022

| inputlookup firstlookup
| join type=left identity
    [| inputlookup secondlookup ]

This will accomplish what you are trying to do. If secondlookup doesn't have a priority then the priority from firstlookup will be present. If you want to ignore the initial priorty complete in firstlookup just do:

| inputlookup firstlookup
| fields - priority
| join type=left identity
    [| inputlookup secondlookup ]

ITWhisperer · ‎01-31-2022

| lookup firstlookup
| rename priority as default_proirity
| lookup secondlookup
| eval priority=coalesce(priority,default_proirity)
| fields - default_priority

TheLawsOfChaos · ‎02-01-2022

So this is close, but think you want inputlookup instead:

| inputlookup firstlookup
| rename priority as default_priority 
| inputlookup secondlookup
| eval priority=coalesce(priority,default_priority )
| fields - default_priority

ITWhisperer · ‎02-01-2022

You probably don't want inputlookup, certainly not two of them, they are generating commands. I was assuming there was already a search ahead of the lookups I was proposing, and this solution was to reset the priority found by the first lookup with the priority found by the second lookup where it was available (which seemed to be the essence of the original question).

TheLawsOfChaos · ‎02-01-2022

They are trying to combine one csv/lookup with the values of a second lookup.

If you were going to go the lookup route you would do the generating search, then run the lookup against the 'correct' priority data, to return the correct priority as something like 'new_priority', and then coalesce on that.

Lookup help: Replace column result with value in other lookup

lookup

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!