Solved: Is there a way to search multiple lookup tables an...

deadbits · ‎05-10-2013

I am having some trouble performing a search across multiple lookup tables. I have several csv's as lookup tables (let's say table1.csv, table2.csv, table3.csv), all of which have the same field names with different data. I am trying to get a trending view of this data over time - as each lookup table covers one week's worth of data.

Q: Is there a way to search multiple lookup tables and do a stats count by X across all the tables within the same search?

A search for an individual table works fine. for example: |inputlookup table2.csv | stats count by field1

Am I going about this the complete wrong way or is what I'm trying to do simply not possible? Any help at all would be greatly appreciated!

dart · ‎05-10-2013

For the question as asked, something like this might work for you:

| inputlookup table1.csv | inputlookup append=t table2.csv | inputlookup append=t table3.csv | stats count by field1

However, you probably want to differentiate between the lookups, which you could do by having a second field (lookup_name) like so:

| inputlookup table1.csv | inputlookup append=t table2.csv | inputlookup append=t table3.csv | stats count by field1 lookup_name

Depending on your use case you may want to use a time-based lookup combining all of the results.

View solution in original post

ksharma7 · ‎04-14-2020

Say I have two lookup table1.csv and table2.csv and both has different fields. Now I want to include table1.csv but exclude results from msin search for column present on table 2.csv. how to do that

richgalloway · ‎04-14-2020

@ksharma7, This question is nearly 7 years old with an accepted answer. Please post a new question describing your problem.

---
If this reply helps you, Karma would be appreciated.

dart · ‎05-10-2013

For the question as asked, something like this might work for you:

| inputlookup table1.csv | inputlookup append=t table2.csv | inputlookup append=t table3.csv | stats count by field1

However, you probably want to differentiate between the lookups, which you could do by having a second field (lookup_name) like so:

| inputlookup table1.csv | inputlookup append=t table2.csv | inputlookup append=t table3.csv | stats count by field1 lookup_name

Depending on your use case you may want to use a time-based lookup combining all of the results.

asharma737 · ‎03-30-2023

Hi @dart @deadbits @ksharma7 @ipark_splunk

1 Question:

whatever example you shared thats great and working but what about multiple lookups if i wanted to search , for example if i am having 20 lookups like table1.csv to table20.csv with different name , Actually we can do appending for each of one, need your help here.

2 Question:

whatever result we are receiving in that i wanted to add lookup name as well because my all lookups are having different name with different name.

Could you please help me on this ?

deadbits · ‎05-10-2013

Awesome, thank you. I think the time-based lookup is what I'm looking for. I had some luck with the append=t flag as well. Thanks for your help! 😄

ipark_splunk · ‎11-21-2018

Thanks @dart this is awesome! How about this one:

| inputlookup table1.csv 
| append 
    [| inputlookup table2.csv]
    [| inputlookup table3.csv]

Is there a way to search multiple lookup tables and do a stats count by X across all the tables within the same search?

lookup

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor