Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Two conditions for Lookup

DanielAmlung
Path Finder
‎01-04-2021 07:18 AM

Hi,

iam stuck with a problem where i need help from you guys. I have a search that runs IDs against a lookup to determine if that ID is from Production or Test Environment. Problem is: some IDs are double, means they exist in Prod and in Test. So when I search and hit one of those IDs they count against Prod and against Test. So i wanted to filter for two conditions that must be met - First would be the specific ID and second would be the environment. I cant get that to work, is there any way to select two conditions that must be met before the lookup give back an result?

I appreciate any feedback 🙂

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DanielAmlung
Path Finder
‎01-28-2021 04:00 AM

Fixed it

 

/close

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DanielAmlung
Path Finder
‎01-28-2021 04:00 AM

Fixed it

 

/close

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎01-04-2021 08:12 PM

lookup command takes as many conditions as needed

| lookup lookup_file id environment

that means you have to provide environment as a constraint to the lookup - is that what you mean?

you example indicates you are trying to determine if the id is test or prod, but if it returns both, is that not a valid response? What are you intending to do with the answer to the lookup?

 

 

 

0 Karma
Reply
Solved! Jump to solution

DanielAmlung
Path Finder
‎01-04-2021 11:48 PM

 

Hi, thats what i tried. But then i get a multi value field "environment" back which contains both prod and test. I could split that into two fields, but in the summary its wrong because than i have 6 prod events insted of 3.

Idea behind this is: we have a system that calls for specific functions. Every call is tied to an ID, but since they also test the system it can happen that this id is valid both in prod and test. So when i create a search that queries only for calls from a specific id within the prod environment, i get douple results.  Because the id is both found in prod and test. So i wanted to filter for two conditions first one would be the id and second one would be the environment. But that need to happen within the lookup statement and not after wards.

 

Example search with mvexpand:

index=XX  sourcetype=iis

NOT cs_User_Agent=performanceTester cs_uri_stem="*datapoints*values/*" 

| search XXid=XX475 

| lookup local=true lkp_XX_ids_kv XXId AS xx_id  OUTPUTNEW SourceSystemName as source_system Environment

| mvexpand Environment

|search Prod

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...