Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup using an indexed log file

faustf
Communicator
‎02-14-2017 03:22 AM

Hi guys

I'm not an expert of Splunk.
I was wondering if I can use a lookup to reference fields that are stored into another log file (not csv) indexed in Splunk

Let me explain:
I have a log file indexed in Splunk:

col1,col2,GCD1,col4,col5
col1,col2,GCD2,col4,col5
col1,col2,GCD3,col4,col5

I've another file always indexed in Splunk:

graph [
    directed 1
    node [
        id 1
        Node "Node1"
    ]
    node [
        id 2
        Node "Node2"
    ]
    node [
        id 3
        Node "Node3"
    ]
]

I need a new field when I search for the first file that match the GDCID with the id in the second file

 col1,col2,GCD1,col4,col5,Node1
 col1,col2,GCD2,col4,col5,Node2
 col1,col2,GCD3,col4,col5,Node3

Is this possible?
Thanks

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-14-2017 04:44 AM

The general approach is something like this:

(search identifying data set 1) OR (search identifying data set 2) | stats values(field1) as field1 ... by common_field

The general assumption here is to have one event per "GCDn" on the left and one event per "id n" on the right, the stats stitches them together.

In your case you may need to do a bit of preprocessing, for example your first data set seems to have values like "GCD1" while the second data set appears to have values like "id 1" - those field values need to be harmonized before the stats, e.g. like this:

() OR () | eval common_field = case(expression identifying data set 1, replace(field_from_data_set_1, "GCD", ""), expression identifying data set 2, replace(field_from_data_set_1, "id ", ""), true(), "unknown id") | stats ...

More background: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...
Even more background: https://wiki.splunk.com/Virtual_.conf March 2016 talk "Best practices around grouping and aggregating data from different search results"

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...