Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Matching values from two different look up tables but not combining them

alexrod559
Loves-to-Learn Lots
‎09-24-2021 09:54 AM

Hey guys,

So I have two look up tables table1 and table 2.

 

Table 1 
ID Username Fname Lname

Table 2
Username

 

What i want to do is have my search result look like this

 

ID, Username(from table one), Fname, Lname, Username(table two)
54, User1, John, Smith, User1

 

The reason i want it to do that is because i want to compare the username from table 1 to table 2 so that i can know the user is missing from the source we're getting the table 2 from.

I was able to get append to work but the issue i run into is it wont place the usernames in the same row. It shows all the values for table one fills the columns and then shows all the values for table 2 with the table one columns.

Ex:

 

ID, Username(from table one), Fname, Lname, Username(table two)
54, User1, John, Smith, (blank)
55, User2, Jane, Smith, (blank)
(blank),(blank),(blank),(blank),User1
(blank),(blank),(blank),(blank),User2

 

 

I just want the usernames from table 1 to match and be in the same row as the username in table2

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2021 10:33 AM 
inputlookup table1
| append [inputlookup table2
  | eval table2="true"]
| stats values(*) as * by Username
0 Karma
Reply

alexrod559
Loves-to-Learn Lots
‎09-24-2021 11:29 AM

The unfortunately groups all the values of table one into a single cell.

 

I forgot to mention that username in table1 has a different field name than username in table 2 but the values match.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2021 12:30 PM

Key piece of info - try renaming so table2 matches table1

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...