Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use automatic lookup to match one lookup field to multiple event fields

chioverheaddoor
Explorer
‎10-31-2018 02:24 PM

I have a set of event data that contains id numbers instead of names. I have a lookup table created to match those id numbers to names. The problem is I can't figure out how to match the one lookup field "id" to all of the different variations of "id" in the event data. The event data uses fields like "assignee_id", "email_cc_id", "requester_id", and ","collaborator_id".

0 Karma
Reply

chioverheaddoor
Explorer
‎11-01-2018 02:31 PM

I actually just got it to work by nesting the lookup command and bypassing the automatic lookup I had created.

| lookup zenuserids.csv id as submitter_id OUTPUTNEW name as submittername | lookup zenuserids.csv id as requester_id OUTPUTNEW name as requestername | lookup zenuserids.csv id as assignee_id OUTPUTNEW name as assigneename | table id,submittername,requestername,assigneename

0 Karma
Reply

briancronrath
Contributor
‎11-01-2018 02:14 PM

How about joining on an evaluated field that uses an order of precedence to determine what the join will be on? You could keep all the original fields for your output, and just have the evaluated field for the purposes of joining. So something like:

[base search] | fillnull value="" | eval joiner=if(assignee_id!="",assignee_id,if(email_cc_id!="",email_cc_id,if(requester_id!="",requester_id,if(collaborator_id!="",collaborator_id,"")))) | lookup ID as joiner output ....
0 Karma
Reply

renjith_nair
Legend
‎10-31-2018 05:42 PM

@chioverheaddoors,

Try combining the fields,

eval id=coalesce(assignee_id,email_cc_id,requester_id,collaborator_id)
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

chioverheaddoor
Explorer
‎11-01-2018 11:31 AM

Thank you for your fast response. I dont think that will work as I need to list all of those fields individually

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...