Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When using two lookups in a single search, I'm unable to value from the second lookup. How do I do that?

tchintam
Path Finder
‎03-14-2018 04:34 AM

|inputlookup |eval duration="xyz"|append[inputlookup |eval duration2="abc"]|eval dur3=duration-duration2| table dur

Here, the query is taking value of only the first lookup and not the second one. As a result, I don't get the final table with the value that I require. How to solve this?

0 Karma
Reply

niketn
Legend
‎03-14-2018 05:17 AM

I think Pipe missing in second inputlookup is the reason why you do not have data from second csv. As you were able to pull up data from first lookup file I believe lookup file names have been omitted on purpose.

However, what I dont understand is the purpose of adding duration and duration2 to your two lookups? Rather than that, you can directly add dur3 as the static value that you need.

Also, can you add the content of the two lookup files? Do they have same values being correlated? Please add more information for us to assist you better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mayurr98
Super Champion
‎03-14-2018 05:05 AM

I am bit confused by your query. As you are doing subtraction, I am assuming that it is a numerical field.

| inputlookup filename.csv 
| eval duration="xyz" 
| append 
    [| inputlookup filename1.csv 
    | eval duration2="abc"] 
| eval dur3=duration-duration2 
| table dur

Also the syntax of lookup is | inputlookup <yourcsv>
If this does not give you solution. kindly provide sample input as well as let us know which all csv file are there in the query.
let me know if this helps!

0 Karma
Reply

cmerriman
Super Champion
‎03-14-2018 05:01 AM

with append, it's just appending the values to the bottom of the first search. doing a subtraction won't work because there will be nothing on the duration2 column next to the duration1 column until you merge them together.

you could try to use join if there is a field to join the two lookups together, just as an ID. otherwise, you could try using appendcols
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Appendcols
the other option is using stats somehow to join.

0 Karma
Reply

tomaszwrona
Explorer
‎03-14-2018 04:56 AM

Hi,

let's say you have two lookups:
- answers.csv

answers_duration
5
10
20

  • answers2.csv

    answers2_duration
    2
    3
    5

then to calculate the value youwould do this:

| inputlookup answers.csv | appendcols [| inputlookup answers2.csv] | eval duration=answers_duration-answers2_duration

Best regards
Tomasz

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...