Solved: Re: help on subsearch in order to match a common f...

jip31 · ‎09-05-2019

hi

In a first lookup (host.csv), I have a field "host"
In a second lookup (toto.csv), I have also a field "host"
Is it enough to do
| inputlookup host.csv | appendcols [| inputlookup toto.csv] for that the host in the first lookup match with the host in the second lookup?
Is there also any way to do this?
thanks

HiroshiSatoh · ‎09-06-2019

For example

| inputlookup host.csv |dedup host| eval no=1
| append [| inputlookup toto.csv |dedup host|eval no=2]
| stats sum(no) as no by host
| eval match=case(no==1,"host.csv",no==2,"toto.csv",no==3,"match")

If only matches

| inputlookup host.csv 
| search [| inputlookup toto.csv |dedup host|table host]

View solution in original post

HiroshiSatoh · ‎09-06-2019

For example

| inputlookup host.csv |dedup host| eval no=1
| append [| inputlookup toto.csv |dedup host|eval no=2]
| stats sum(no) as no by host
| eval match=case(no==1,"host.csv",no==2,"toto.csv",no==3,"match")

If only matches

| inputlookup host.csv 
| search [| inputlookup toto.csv |dedup host|table host]

jip31 · ‎09-06-2019

PERFECT THANKS

help on subsearch in order to match a common field between 2 lookup files

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

help on subsearch in order to match a common field between 2 lookup files

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability