Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Match values under 2 different fields

linwqg
New Member
‎03-13-2018 05:17 AM

Need help. Appreciate in advance.

I have 2 lookup csv. I need to match each value under "numberX" field against the list of values under "numnberY" field. If there is a match, e.g. 4653, to obtain the following output.

alt text

Tags (1)
Preview file
94 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-14-2018 05:03 AM

@linwqg, try the following search

| inputlookup csv1.csv where 
    [| inputlookup csv2.csv 
    | rename numberY as numberX 
    | table numberX]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-14-2018 05:03 AM

@linwqg, try the following search

| inputlookup csv1.csv where 
    [| inputlookup csv2.csv 
    | rename numberY as numberX 
    | table numberX]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

linwqg
New Member
‎03-14-2018 09:15 AM

Thanks niketnilay. Will give it a try too.

0 Karma
Reply
Solved! Jump to solution

linwqg
New Member
‎03-15-2018 07:04 AM

Your approach work as well. Thanks niketnilay.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-15-2018 09:36 AM

@linwqg, please accept the answer if your issue is resolved to mark this question as answered 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎03-13-2018 11:32 PM

Try this!

|inputlookup csv1|search [search |inputlookup csv2|rename numberY AS numberX |table numberX ]
|table numberX, info, more_info
OR
|inputlookup csv1|join type=inner numberX AS numberY [search |inputlookup csv2]
|table numberX, info, more_info
0 Karma
Reply
Solved! Jump to solution

linwqg
New Member
‎03-14-2018 04:32 AM

Many thanks. Will definitely give this a try as well.

0 Karma
Reply
Solved! Jump to solution

linwqg
New Member
‎03-14-2018 04:47 AM

I understand from the first pipe onward, that we are renaming the field and table it out.

Why is this important? How to interpret the search before all these?

search |inputlookup csv2|rename numberY AS numberX |table numberX

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎03-14-2018 07:43 AM

|search [search |inputlookup csv2|rename numberY AS numberX |table numberX]

search (numberX="X" OR numberX="Y" OR numberX="Z")

0 Karma
Reply
Solved! Jump to solution

linwqg
New Member
‎03-14-2018 09:21 AM

What's the different between 1 and 2?

  1. |inputlookup csv1|search [search |inputlookup csv2|rename numberY AS numberX |table numberX ]
  2. |inputlookup csv1|search [|inputlookup csv2|rename numberY AS numberX |table numberX ]
0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎03-13-2018 06:10 AM

Hi,

try something like this:

|inputlookup csv2|lookup csv1 numberX AS numberY OUTPUTNEW info,more_info|table numberX, info, more_info
0 Karma
Reply
Solved! Jump to solution

linwqg
New Member
‎03-13-2018 07:02 PM

Thanks for the headstart.

Tried but it does not seem to work.

0 Karma
Reply
Solved! Jump to solution

linwqg
New Member
‎03-14-2018 04:33 AM

I did abit of cleanup and i think it works. Thanks p_gurav.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...