Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching result using two inputlookup collections

ssamant007
Explorer
‎09-08-2021 01:30 AM

I need to find the rows from the first inputlookup collection that has matching field values from the second inputlookup collection.

For example:

collection A :      field1, field2, field3

                                  X             1          3

                                   X            2         4

                                    Y            4         1

                                    Z             1        2

                                     B            3         3

                                     B            1           1

CollectionB:    fieldX

                               X       

                               Y         

                               B          

The expected result is: (exclude row containing 'Z' as it does not entry in collectionB)

                                 field1, field2, field3

                                  X             1          3

                                   X            2         4

                                   Y            4         1

                                    B            1           1

the query like:

| inputlookup collectionA | search field1 IN ('X','Y','Z'....).

How can I set  values 'X','Y','Z'....  to search for field1 from collectionB as this list can be of any length. I tried the following but didn't work:

| inputlookup collectionA | search field1 IN (| inputlookup collectionB  |fields fieldX). (as in reality the collectionB can have more than one columns but I want to match values only with fieldX)

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2021 01:42 AM

Try something like this

| inputlookup collectionA | search [| inputlookup collectionB | fields fieldX | rename fieldX as field1 | format]

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2021 01:42 AM

Try something like this

| inputlookup collectionA | search [| inputlookup collectionB | fields fieldX | rename fieldX as field1 | format]
Reply
Solved! Jump to solution

ssamant007
Explorer
‎09-08-2021 02:13 AM

Thanks @ITWhisperer .

0 Karma
Reply
Solved! Jump to solution

ssamant007
Explorer
‎09-08-2021 01:53 AM

What if I need to match with only subset of fieldX values from collectionB into the field1 values from collectionA assuming the collectionB has other fields .

Like 

collectionB:

  fieldX,   fieldY

 Y              ss

A               zz

B               yy

i.e. first I need to extract results from collectionB based on column 'fieldY' say fieldY='zz' 

| inputlookup collectionA | search [| inputlookup collectionB | search fieldY ='zz' | fields fieldX | rename..... but it didnt serve my required results. It is returning all the rows from collection A.

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...