Solved: Report only if exists in external lookup

timmy13 · ‎06-13-2011

I have a very basic lookup defined. Given a UserID in my indexed data, I lookup the name from an external csv file that literally has two fields, UserID and Name.

Is it possible to report on only those records where the UserID exists in the external lookup, and filter out all records where the User ID does not exist?

ftk · ‎06-13-2011

you could do something like the following:

"your search terms" | lookup useridlookup UserID OUTPUT Name | search Name=*

View solution in original post

ftk · ‎06-13-2011

you could do something like the following:

"your search terms" | lookup useridlookup UserID OUTPUT Name | search Name=*

Glenn · ‎08-29-2014

You could do, but it's not efficient. There should be a way to use the lookup as a filter on the initial search. Here you have to search for everything and then filter later, depending on how big your total data set is compared to the set defined by your lookup, you could be doing a heck of a lot of extra disk reads.

Report only if exists in external lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation