Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search to get info from lookup file if event field contains data from two field in lookup file?

Abhineet
Loves-to-Learn Everything
‎09-22-2022 01:33 AM

Want to create search to get info from lookup file if event field contains data from two field in lookup file.

log event have field "machineUserName" having value "employeeNumber" or "Email-ID" want to do lookup from "workdayData.csv" having two separate field for "employeeNumber" and "Email-ID" want to create lookup query  which will check "machineUserName" field from log event having either "employeeNumber" or "Email-ID" as value will check respective field in lookup and provide other information in lookup table.

Log Event Field

Abhineet_0-1663835259712.png

Lookup-table: WorkdayData.csv

Sample Data

HEADER:empId,empNum,name,email,country,loc,locDesc,OCGRP,OCSGRP,deptName,jobTitle,empStatus,bu,l1MgrEmail
Sample-Data: X0134567,AMAT-0134567,"Jose numo --CNTR","Jose_numo@contractor.amat.com","United States of America",CASCL,"Santa Clara,CA",AGS,OCE,"NACDC NAmer Entity","Logistics Operations - Supplie",Active,"AGS GPS&T, Operations & Central Engineering","Carmy_Hyden@amat.com"

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 01:47 AM

Hi @Abhineet,

the solution is using two times the lookup command:

<your_search>
| lookup workdayData.csv employeeNumber AS machineUserName OUTPUTS <lookup_columns>
| lookup workdayData.csv Email-ID AS machineUserName OUTPUTS <lookup_columns>
| ...

Only one addition information: don't use "-" in field names, it's better "_" becausae it could be interpretated as the subtraction operator.

Ciao.

Giuseppe

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎09-22-2022 02:02 AM

two lookup statement on same lookup file, 

2nd lookup statement overriding first lookup statement output and making it null.

Abhineet_0-1663837350898.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 03:01 AM

Hi @Abhineet,

please use OUTPUTNEW instead OUTPUT

<your_search>
| lookup workdayData.csv employeeNumber AS machineUserName OUTPUTNEW <lookup_columns>
| lookup workdayData.csv Email-ID AS machineUserName OUTPUTNEW <lookup_columns>
| ...

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...