Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using lookup tables

jbouch03
Path Finder
‎12-13-2013 12:25 PM

Having trouble getting a lookup table to replace my results. I have a lookup file that contains the following info:

AET,Location
FakeAET,Fakeplace

I have loaded the .csv file, and I have created a file-based lookup definition called AETtolocation. When I run my search I want to replace the results of the AET column with the info in the Location column, but everytime I run it I only get the information inside the AET column. Here is my searchstring:

eventtype="calling" | chart count by calling | lookup AETtolocation AET OUTPUT Location

Any assistance you could provide would be greatly appreciated. Thank you in advance.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎12-13-2013 01:36 PM

The lookup command is doing precisely what it's told to do. The stuff before OUTPUT is which fields you want to use as input to your lookup and the stuff after OUTPUT is which fields should be output. In your case the lookup will read the value of the field "AET" in your event, try to match it to its "AET" values and if it finds a match, it will write the matching value in the "Location" field in your event.

If you want to output to another field you can do it like this:

... | lookup AETtolocation AET OUTPUT Location AS AET

More info in the docs: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎12-13-2013 01:36 PM

The lookup command is doing precisely what it's told to do. The stuff before OUTPUT is which fields you want to use as input to your lookup and the stuff after OUTPUT is which fields should be output. In your case the lookup will read the value of the field "AET" in your event, try to match it to its "AET" values and if it finds a match, it will write the matching value in the "Location" field in your event.

If you want to output to another field you can do it like this:

... | lookup AETtolocation AET OUTPUT Location AS AET

More info in the docs: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

Reply
Solved! Jump to solution

jbouch03
Path Finder
‎12-13-2013 02:00 PM

I got it...It was extra spacing in my results. I fixed the spacing in my transform and it went perfectly. thanks again.

Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
li.common.scroll-to.top