Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for a pattern in a lookup CSV file which is received from first search from another lookup CSV file

surekhasplunk
Communicator
‎11-08-2017 04:16 AM

I have two lookup csv files.
file1.csv and file2.csv

1st query results me with field1 which has a pattern match in field2 of file2.csv not the exact match.

how can i achieve this in query .

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2017 04:23 AM

Hi surekhasplunk,
try something like this:

| inputlookup file1.csv
| search [ | inputlookup file2.csv | eval field1="*"+field2+"*" | fields field1 ]
| table .....

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2017 04:23 AM

Hi surekhasplunk,
try something like this:

| inputlookup file1.csv
| search [ | inputlookup file2.csv | eval field1="*"+field2+"*" | fields field1 ]
| table .....

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎11-08-2017 06:00 AM

thanks @cusello,

It worked well with the numeric field data but somehow returning 0 results for character fields.
i have something filed1 value from file1.csv which looks like "APPLICATION SUPP" and i have
field2 value from file2.csv which looks like "Application Support"
so am doing a
| inputlookup file1.csv | eval a1=substr(field1,13,3) | eval a1=lower(a1)
| search [ | inputlookup file2.csv |eval a1=substr(field1,13,3)| eval b1=""+a1+""| eval field1=""+b1+"" | fields field1 ]
| table .....

but getting 0 rows returned

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...