Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Two conditions for Lookup

DanielAmlung
Explorer
‎01-04-2021 07:18 AM

Hi,

iam stuck with a problem where i need help from you guys. I have a search that runs IDs against a lookup to determine if that ID is from Production or Test Environment. Problem is: some IDs are double, means they exist in Prod and in Test. So when I search and hit one of those IDs they count against Prod and against Test. So i wanted to filter for two conditions that must be met - First would be the specific ID and second would be the environment. I cant get that to work, is there any way to select two conditions that must be met before the lookup give back an result?

I appreciate any feedback 🙂

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DanielAmlung
Explorer
‎01-28-2021 04:00 AM

Fixed it

 

/close

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DanielAmlung
Explorer
‎01-28-2021 04:00 AM

Fixed it

 

/close

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎01-04-2021 08:12 PM

lookup command takes as many conditions as needed

| lookup lookup_file id environment

that means you have to provide environment as a constraint to the lookup - is that what you mean?

you example indicates you are trying to determine if the id is test or prod, but if it returns both, is that not a valid response? What are you intending to do with the answer to the lookup?

 

 

 

0 Karma
Reply
Solved! Jump to solution

DanielAmlung
Explorer
‎01-04-2021 11:48 PM

 

Hi, thats what i tried. But then i get a multi value field "environment" back which contains both prod and test. I could split that into two fields, but in the summary its wrong because than i have 6 prod events insted of 3.

Idea behind this is: we have a system that calls for specific functions. Every call is tied to an ID, but since they also test the system it can happen that this id is valid both in prod and test. So when i create a search that queries only for calls from a specific id within the prod environment, i get douple results.  Because the id is both found in prod and test. So i wanted to filter for two conditions first one would be the id and second one would be the environment. But that need to happen within the lookup statement and not after wards.

 

Example search with mvexpand:

index=XX  sourcetype=iis

NOT cs_User_Agent=performanceTester cs_uri_stem="*datapoints*values/*" 

| search XXid=XX475 

| lookup local=true lkp_XX_ids_kv XXId AS xx_id  OUTPUTNEW SourceSystemName as source_system Environment

| mvexpand Environment

|search Prod

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...