- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: input lookup get values for the lookup only
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I have a very Basic question.
I have an index index1 and sourcetype=ST1 with fields fieldA, fieldB and fieldC. I create a lookup CSV as Mylookup.csv and provide the definition. In my lookup CSV, I have fields LUFieldA which corresponds to fieldA. Let's say FieldA has 10000 values and LUFieldA has only 2000 values. I just need the info of fieldA, fieldB, and fieldC for the 2000 values from LUFieldA.
This is a very basic question but a bit tricky for me.
index= "index1" sourcetype="ST1" | inputlookup Mylookup.csv LUFieldA as fieldA | table fieldA, fieldB, fieldC
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chandras11
I don't know if I fully understand your question buuuuut I think what you need is:
index= "index1" sourcetype="ST1"
| search
[| inputlookup Mylookup.csv
| rename LUFieldA as fieldA
| fields FieldA]
| table fieldA, fieldB, fieldC
This will show you only the values (and all your tabled fields) that are in the lookup. If you wanted to exclude everything in the lookup from appearing in your search, you could use "| search NOT" instead of "| search"
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chandras11
I don't know if I fully understand your question buuuuut I think what you need is:
index= "index1" sourcetype="ST1"
| search
[| inputlookup Mylookup.csv
| rename LUFieldA as fieldA
| fields FieldA]
| table fieldA, fieldB, fieldC
This will show you only the values (and all your tabled fields) that are in the lookup. If you wanted to exclude everything in the lookup from appearing in your search, you could use "| search NOT" instead of "| search"
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, thats what I was looking for. 🙂 I need to find the values from Mylookup.csv to ndex= "index1" sourcetype="ST1".
thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index= "index1" sourcetype="ST1" [| inputlookup Mylookup.csv | rename LUFieldA as fieldA | table fieldA | format ] | table fieldA fieldB fieldC
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now I know whats missing here: index= "index1" sourcetype="ST1" | search [| inputlookup Mylookup.csv | rename LUFieldA as fieldA | table fieldA | format ] | table fieldA fieldB fieldC
thanks for the answer 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should still work without the explicit | search command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, can you please check if [| inputlookup is correct. Also where are we comparing the LUFieldA and fieldA. What I meant is that I need the data for all LUFieldA values from the index and sourcetype..
soory for the trouble 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are not comparing. But using lookup as a subsearch to filter LUFieldA. That's the reason I renamed LUFieldA to fieldA so that the field matches between your lookup and index. Did you try running the search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Yes I tried to run it and it was causing the issue. Then I checked the answer from @Robbie1194 and worked fine.
You provided a really cool concept to me.. thanks a lot for it 🙂
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
