Use automatic lookup to match one lookup field to ...

chioverheaddoor · ‎10-31-2018

I have a set of event data that contains id numbers instead of names. I have a lookup table created to match those id numbers to names. The problem is I can't figure out how to match the one lookup field "id" to all of the different variations of "id" in the event data. The event data uses fields like "assignee_id", "email_cc_id", "requester_id", and ","collaborator_id".

chioverheaddoor · ‎11-01-2018

I actually just got it to work by nesting the lookup command and bypassing the automatic lookup I had created.

| lookup zenuserids.csv id as submitter_id OUTPUTNEW name as submittername | lookup zenuserids.csv id as requester_id OUTPUTNEW name as requestername | lookup zenuserids.csv id as assignee_id OUTPUTNEW name as assigneename | table id,submittername,requestername,assigneename

briancronrath · ‎11-01-2018

How about joining on an evaluated field that uses an order of precedence to determine what the join will be on? You could keep all the original fields for your output, and just have the evaluated field for the purposes of joining. So something like:

[base search] | fillnull value="" | eval joiner=if(assignee_id!="",assignee_id,if(email_cc_id!="",email_cc_id,if(requester_id!="",requester_id,if(collaborator_id!="",collaborator_id,"")))) | lookup ID as joiner output ....

renjith_nair · ‎10-31-2018

@chioverheaddoors,

Try combining the fields,

eval id=coalesce(assignee_id,email_cc_id,requester_id,collaborator_id)

---
What goes around comes around. If it helps, hit it with Karma 🙂

chioverheaddoor · ‎11-01-2018

Thank you for your fast response. I dont think that will work as I need to list all of those fields individually

Use automatic lookup to match one lookup field to multiple event fields

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability