Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using lookup tables

jbouch03
Path Finder
‎12-13-2013 12:25 PM

Having trouble getting a lookup table to replace my results. I have a lookup file that contains the following info:

AET,Location
FakeAET,Fakeplace

I have loaded the .csv file, and I have created a file-based lookup definition called AETtolocation. When I run my search I want to replace the results of the AET column with the info in the Location column, but everytime I run it I only get the information inside the AET column. Here is my searchstring:

eventtype="calling" | chart count by calling | lookup AETtolocation AET OUTPUT Location

Any assistance you could provide would be greatly appreciated. Thank you in advance.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎12-13-2013 01:36 PM

The lookup command is doing precisely what it's told to do. The stuff before OUTPUT is which fields you want to use as input to your lookup and the stuff after OUTPUT is which fields should be output. In your case the lookup will read the value of the field "AET" in your event, try to match it to its "AET" values and if it finds a match, it will write the matching value in the "Location" field in your event.

If you want to output to another field you can do it like this:

... | lookup AETtolocation AET OUTPUT Location AS AET

More info in the docs: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎12-13-2013 01:36 PM

The lookup command is doing precisely what it's told to do. The stuff before OUTPUT is which fields you want to use as input to your lookup and the stuff after OUTPUT is which fields should be output. In your case the lookup will read the value of the field "AET" in your event, try to match it to its "AET" values and if it finds a match, it will write the matching value in the "Location" field in your event.

If you want to output to another field you can do it like this:

... | lookup AETtolocation AET OUTPUT Location AS AET

More info in the docs: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

Reply
Solved! Jump to solution

jbouch03
Path Finder
‎12-13-2013 02:00 PM

I got it...It was extra spacing in my results. I fixed the spacing in my transform and it went perfectly. thanks again.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...