Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Matching values from two different look up tables but not combining them

alexrod559
Loves-to-Learn Lots
‎09-24-2021 09:54 AM

Hey guys,

So I have two look up tables table1 and table 2.

 

Table 1 
ID Username Fname Lname

Table 2
Username

 

What i want to do is have my search result look like this

 

ID, Username(from table one), Fname, Lname, Username(table two)
54, User1, John, Smith, User1

 

The reason i want it to do that is because i want to compare the username from table 1 to table 2 so that i can know the user is missing from the source we're getting the table 2 from.

I was able to get append to work but the issue i run into is it wont place the usernames in the same row. It shows all the values for table one fills the columns and then shows all the values for table 2 with the table one columns.

Ex:

 

ID, Username(from table one), Fname, Lname, Username(table two)
54, User1, John, Smith, (blank)
55, User2, Jane, Smith, (blank)
(blank),(blank),(blank),(blank),User1
(blank),(blank),(blank),(blank),User2

 

 

I just want the usernames from table 1 to match and be in the same row as the username in table2

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2021 10:33 AM 
inputlookup table1
| append [inputlookup table2
  | eval table2="true"]
| stats values(*) as * by Username
0 Karma
Reply

alexrod559
Loves-to-Learn Lots
‎09-24-2021 11:29 AM

The unfortunately groups all the values of table one into a single cell.

 

I forgot to mention that username in table1 has a different field name than username in table 2 but the values match.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2021 12:30 PM

Key piece of info - try renaming so table2 matches table1

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top