Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Part2: How to join two different result sharing common field?

yohhpark
Path Finder
‎03-28-2023 06:22 AM

Let say I have a result below
index = indextest
source=stest

bunch of evals = evals

sourcetype=sttext
| table ID Status Remark Values

 

ID         Status       Remark               Values

11         PASS          CHECKED         something something hello

371      FAILED       CONFIRMED    someting hello SOME

 

let say I want to input another field from a inputlookup that is correlated with the ID number.

ex)

| inputlookup test

|table ID ActualName

 

 

ID       ActualName

11       McDonald

371    BurgerKing

 

 

 

 

HOW TO simply input that result into the first query so that I can get a result as below?

ID        ActualValue              Status       Remark               Values

11       McDonald                   PASS          CHECKED         something something hello

371      BurgerKing                FAILED       CONFIRMED    someting hello SOME

 

 

 

NOTE

 

when I try this,

index = indextest
source=stest

bunch of evals = evals

sourcetype=sttext
|append [ | inputlookup test]
|stats values("ID") as ID, values ("Actual Value") as "Actual Value" ...and so on... by System

 

 

result comes out

ID                          ActualValue                                   Status                                Remark                                           Values

11 , 371         McDonald , BurgerKing                  PASS, FAILED                 CHECKED  ,CONFIRMED       something something hello , someting hello SOME

        

 

it's not separated.

 

Simply how to insert a inputlookup result to a table that shares a one common field.

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-28-2023 06:56 AM 
index = indextest
source=stest

bunch of evals = evals

sourcetype=sttext
| lookup test ID
| table ID ActualName Status Remark Values

View solution in original post

Reply
Solved! Jump to solution

yohhpark
Path Finder
‎03-28-2023 07:24 AM

I've tried. it's not working.


index=test

|table System Status

 

simple need to input

|inputlookup test123

|table System IDnumber

 

so that result show

System IDnumber Status

 

struggling 😞

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-28-2023 07:27 AM

Why are you using inputlookup when all you appear to need is lookup?

Is there something else in your usecase that requires you to use inputlookup?

0 Karma
Reply
Solved! Jump to solution

yohhpark
Path Finder
‎03-28-2023 08:33 AM

because it's subsearch.

inputlookup is required. 

index does not contain such information.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-28-2023 08:47 AM

From your example, i.e.

ID         Status       Remark               Values

11         PASS          CHECKED         something something hello

371      FAILED       CONFIRMED    someting hello SOME

becoming

ID        ActualValue              Status       Remark               Values

11       McDonald                   PASS          CHECKED         something something hello

371      BurgerKing                FAILED       CONFIRMED    someting hello SOME

using a lookup called test with these contents

ID       ActualName

11       McDonald

371    BurgerKing

a lookup as I showed would do this

Exactly how is your actual situation different from the above example which makes a simple lookup not work?

0 Karma
Reply
Solved! Jump to solution

yohhpark
Path Finder
‎03-28-2023 09:18 AM

I have used your idea.

I got the table first

ID Status Remark

then use lookup to match the ID and output the ActualName

then print the table again.

 

REASON why didn't work first time was that the lookup table did not have the field as "ID" it had it as such as 'title'. and the original SPL search. therefore, I have renamed ID to title, then did the lookup, and THEN switched the title back to ID and table them out.

 

 

worked!! thank you so much. learned a lot

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-28-2023 06:56 AM 
index = indextest
source=stest

bunch of evals = evals

sourcetype=sttext
| lookup test ID
| table ID ActualName Status Remark Values
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...