Solved: Pulling multiple Columns from an inputlookup

dbturner · ‎03-06-2019

Trying to pull more than one column from an inputlookup. One of the columns maps to a field in the index I am searching in and the other I just want in as a category to table with. Struggling with how I would do that.

This is my current search and added subsearch:
index=myindex [| inputlookup my.csv | fields ip | rename ip as asset_ip] - I want to bring in a column named system from the lookup but don't need to rename it to fit into the index. I just want to make sure the system id in the lookup matches up to the appropriate ip for charting/tabling.

richgalloway · ‎03-06-2019

I think you may need to use the lookup twice.

index=myindex [| inputlookup my.csv | fields ip | rename ip as asset_ip] | lookup my.csv ip as asset_ip output system

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-06-2019

I think you may need to use the lookup twice.

index=myindex [| inputlookup my.csv | fields ip | rename ip as asset_ip] | lookup my.csv ip as asset_ip output system

---
If this reply helps you, Karma would be appreciated.

Pulling multiple Columns from an inputlookup

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

Pulling multiple Columns from an inputlookup

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!