Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

concat lookups for a search

rtalcik
Path Finder
‎04-24-2020 04:24 PM

so in this search the full list is everything in zone A. do is everything in zone b, zoneserialnumbers are a list of serial numbers.

the goal is to say everything in do is in both zoneserial and fulla_list

| inputlookup fullA_list
| join [ | inputlookup zonesserialnumbers ]
| join SerialNumber type=outer [ | inputlookup do | rename serialNo as SerialNumber ]
| search in_do=yes Location=$location$
| fillnull value="No" in_do
| fillnull value="No" Owned
| fillnull value="No" In_full
| chart count by Owned

CSV details

do

deviceName | in_do | location | serialNo | uuid
| Yes | AAAA-AAA |AAAAAAAAAAA | AKAAIFKA112844921-129892184-19129

zoneserialnumbers csv

ProductName | SerialNumber | Owned
Numbers and letters | AAAAA1234AAAA | Yes

FullA_list csv
ComputerName | In_A_list | Location | SerialNumber | UDID
AAAAA-AAAAA | Yes | Country | AAAA1234AAA | AAAAAAAAAAAAAAAA-1234-AAAAAAAA

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-27-2020 03:20 PM 
| makeresults 
| rename COMMENT as "inputlookup fullA_list"
| eval _raw="ComputerName,In_A_list,Location,SerialNumber,UUID
AAAAA-AAAAA,Yes,Country,AAAA1234AAA,AAAAAAAAAAAAAAAA-1234-AAAAAAAA"
| multikv forceheader=1
| table ComputerName,In_A_list,Location,SerialNumber,UUID
| rename COMMENT as "inputlookup zonesserialnumbers"
| join SerialNumber [|makeresults
|eval _raw="ProductName,SerialNumber,Owned
Numbers and letters,AAAA1234AAA,Yes"
| multikv forceheader=1 
| table ProductName,SerialNumber,Owned]
| rename COMMENT as "inputlookup do"
| join SerialNumber type=outer [ | makeresults
| eval _raw="deviceName,in_do,location,serialNo,uuid
XXX,Yes,AAAA-AAA,AAAA1234AAA,AKAAIFKA112844921-129892184-19129"
| multikv forceheader=1
| table deviceName,in_do,location,serialNo,uuid
| rename serialNo as SerialNumber ]

Your query looks like good. What's wrong?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-27-2020 03:20 PM 
| makeresults 
| rename COMMENT as "inputlookup fullA_list"
| eval _raw="ComputerName,In_A_list,Location,SerialNumber,UUID
AAAAA-AAAAA,Yes,Country,AAAA1234AAA,AAAAAAAAAAAAAAAA-1234-AAAAAAAA"
| multikv forceheader=1
| table ComputerName,In_A_list,Location,SerialNumber,UUID
| rename COMMENT as "inputlookup zonesserialnumbers"
| join SerialNumber [|makeresults
|eval _raw="ProductName,SerialNumber,Owned
Numbers and letters,AAAA1234AAA,Yes"
| multikv forceheader=1 
| table ProductName,SerialNumber,Owned]
| rename COMMENT as "inputlookup do"
| join SerialNumber type=outer [ | makeresults
| eval _raw="deviceName,in_do,location,serialNo,uuid
XXX,Yes,AAAA-AAA,AAAA1234AAA,AKAAIFKA112844921-129892184-19129"
| multikv forceheader=1
| table deviceName,in_do,location,serialNo,uuid
| rename serialNo as SerialNumber ]

Your query looks like good. What's wrong?

0 Karma
Reply
Solved! Jump to solution

rtalcik
Path Finder
‎04-28-2020 08:29 AM

idk, maybe just me overthinking it

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-24-2020 06:54 PM

Where is the CSV details?

Reply
Solved! Jump to solution

rtalcik
Path Finder
‎04-27-2020 05:52 AM

I didnt drop them due to the data in them

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-27-2020 05:55 AM

If there is no detail, anyone can't resolve your problem.

0 Karma
Reply
Solved! Jump to solution

rtalcik
Path Finder
‎04-27-2020 06:44 AM

i posted them

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...