Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

input lookup get values for the lookup only

Chandras11
Communicator
‎06-13-2018 07:14 AM

Hi, I have a very Basic question.

I have an index index1 and sourcetype=ST1 with fields fieldA, fieldB and fieldC. I create a lookup CSV as Mylookup.csv and provide the definition. In my lookup CSV, I have fields LUFieldA which corresponds to fieldA. Let's say FieldA has 10000 values and LUFieldA has only 2000 values. I just need the info of fieldA, fieldB, and fieldC for the 2000 values from LUFieldA.

This is a very basic question but a bit tricky for me.

index= "index1" sourcetype="ST1" | inputlookup Mylookup.csv LUFieldA as fieldA | table fieldA, fieldB, fieldC
Reply
1 Solution
Solved! Jump to solution
Solution

Robbie1194
Communicator
‎06-13-2018 07:37 AM

Hi Chandras11

I don't know if I fully understand your question buuuuut I think what you need is:

index= "index1" sourcetype="ST1"
| search
[| inputlookup Mylookup.csv
| rename LUFieldA as fieldA
| fields FieldA]
| table fieldA, fieldB, fieldC

This will show you only the values (and all your tabled fields) that are in the lookup. If you wanted to exclude everything in the lookup from appearing in your search, you could use "| search NOT" instead of "| search"

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

Robbie1194
Communicator
‎06-13-2018 07:37 AM

Hi Chandras11

I don't know if I fully understand your question buuuuut I think what you need is:

index= "index1" sourcetype="ST1"
| search
[| inputlookup Mylookup.csv
| rename LUFieldA as fieldA
| fields FieldA]
| table fieldA, fieldB, fieldC

This will show you only the values (and all your tabled fields) that are in the lookup. If you wanted to exclude everything in the lookup from appearing in your search, you could use "| search NOT" instead of "| search"

Hope this helps.

Reply
Solved! Jump to solution

Chandras11
Communicator
‎06-13-2018 07:43 AM

thanks, thats what I was looking for. 🙂 I need to find the values from Mylookup.csv to ndex= "index1" sourcetype="ST1".

thanks a lot.

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎06-13-2018 07:18 AM 
index= "index1" sourcetype="ST1" [| inputlookup Mylookup.csv | rename LUFieldA  as fieldA | table fieldA | format ] | table fieldA fieldB fieldC
Reply
Solved! Jump to solution

Chandras11
Communicator
‎06-13-2018 07:42 AM

Now I know whats missing here: index= "index1" sourcetype="ST1" | search [| inputlookup Mylookup.csv | rename LUFieldA as fieldA | table fieldA | format ] | table fieldA fieldB fieldC

thanks for the answer 🙂

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎06-13-2018 08:17 AM

It should still work without the explicit | search command.

0 Karma
Reply
Solved! Jump to solution

Chandras11
Communicator
‎06-13-2018 07:27 AM

Hi, can you please check if [| inputlookup is correct. Also where are we comparing the LUFieldA and fieldA. What I meant is that I need the data for all LUFieldA values from the index and sourcetype..
soory for the trouble 🙂

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎06-13-2018 07:39 AM

You are not comparing. But using lookup as a subsearch to filter LUFieldA. That's the reason I renamed LUFieldA to fieldA so that the field matches between your lookup and index. Did you try running the search?

0 Karma
Reply
Solved! Jump to solution

Chandras11
Communicator
‎06-14-2018 03:48 AM

Hi, Yes I tried to run it and it was causing the issue. Then I checked the answer from @Robbie1194 and worked fine.
You provided a really cool concept to me.. thanks a lot for it 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...