Solved: Re: Using two seperate inputlookups

samwatson45 · ‎02-07-2018

I have two files which I have uploaded into Splunk, and both work as intended.
One is a detailed file containing peoples names, along with other information.
The second is a specific list of names of people I am interested in looking at from the first file.

I know I can import files into my searches with
| inputlookup file.csv | The rest of the search

But when I try to input two lookups I get an error.
What is the easiest way to do this?

493669 · ‎02-07-2018

Try this:

|inputlookup file.csv|join <common fieldname i.e. people name> [|inputlookup file2.csv]

here join with second lookup using common fieldname as in your case it is people_name field

View solution in original post

elliotproebstel · ‎02-07-2018

Based on what you've said in comments above, I believe this is the search structure you're looking for. I'll reference the file containing the logs you want to search as events_log.csv and the file containing the list of people as people.csv. This also assumes you have a column in people.csv called people_name, and that the logs in events_log.csv also contain a field called people_name.

| inputlookup events_log.csv where
 [ | inputlookup people.csv 
   | fields people_name ]

If the events_log.csv file names the field differently, then you'll need to a rename command inside the subsearch to make the field names align.

samwatson45 · ‎02-07-2018

Thanks!
The problem has been solved now but your method works 🙂

elliotproebstel · ‎02-07-2018

Great. As an FYI, you should not use a join for searches like this if you can possibly avoid it. As data sizes grow, join will consume a lot of resources and will often have silent failures that will be a pain to diagnose. There will likely be times you can't avoid using a join in your search, but it's strongly recommended that you avoid them when possible.

samwatson45 · ‎02-07-2018

Cool, useful to know, thanks!

493669 · ‎02-07-2018

Try this:

|inputlookup file.csv|join <common fieldname i.e. people name> [|inputlookup file2.csv]

here join with second lookup using common fieldname as in your case it is people_name field

samwatson45 · ‎02-07-2018

Maybe I should have been more clear, this simply added on the second file to the first.

The first file is one I want to do the searching on, the second file contains a list of people I want to be searching again. Essentially it is an easier way rather than writing (person=A OR person=B....) in every search and also means it can easily be updated.
So I essentially want to query the second file against the first.

493669 · ‎02-07-2018

join will not append/add two files instead it will match using common fields .
for ex.
file1.csv

people_name        column2
A                         2
B                         3

file2.csv

people_name                   column3
A                           25
B                           88

and now join will give output as

people_name  column2                 column3
A                  2                   25
B                  3                   88

samwatson45 · ‎02-07-2018

Mine came out in the format

file1.csv

people_name column2
A 2
B 3

file2.csv

people_name

A

B

output

people_name people_name column2

A A 2

A B 3

493669 · ‎02-07-2018

could you provide what query you have tried?

samwatson45 · ‎02-07-2018

Ah, I now see that I had the part of the search string entered wrongly, my mistake.
This method works great, thanks for your help 🙂

Using two seperate inputlookups

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Using two seperate inputlookups

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk