Splunk Search
Highlighted

input lookup get values for the lookup only

Communicator

Hi, I have a very Basic question.

I have an index index1 and sourcetype=ST1 with fields fieldA, fieldB and fieldC. I create a lookup CSV as Mylookup.csv and provide the definition. In my lookup CSV, I have fields LUFieldA which corresponds to fieldA. Let's say FieldA has 10000 values and LUFieldA has only 2000 values. I just need the info of fieldA, fieldB, and fieldC for the 2000 values from LUFieldA.

This is a very basic question but a bit tricky for me.

index= "index1" sourcetype="ST1" | inputlookup Mylookup.csv LUFieldA as fieldA | table fieldA, fieldB, fieldC
Highlighted

Re: input lookup get values for the lookup only

Influencer
index= "index1" sourcetype="ST1" [| inputlookup Mylookup.csv | rename LUFieldA  as fieldA | table fieldA | format ] | table fieldA fieldB fieldC
Highlighted

Re: input lookup get values for the lookup only

Communicator

Hi, can you please check if [| inputlookup is correct. Also where are we comparing the LUFieldA and fieldA. What I meant is that I need the data for all LUFieldA values from the index and sourcetype..
soory for the trouble 🙂

0 Karma
Highlighted

Re: input lookup get values for the lookup only

Influencer

You are not comparing. But using lookup as a subsearch to filter LUFieldA. That's the reason I renamed LUFieldA to fieldA so that the field matches between your lookup and index. Did you try running the search?

0 Karma
Highlighted

Re: input lookup get values for the lookup only

Communicator

Hi, Yes I tried to run it and it was causing the issue. Then I checked the answer from @Robbie1194 and worked fine.
You provided a really cool concept to me.. thanks a lot for it 🙂

0 Karma
Highlighted

Re: input lookup get values for the lookup only

Communicator

Now I know whats missing here: index= "index1" sourcetype="ST1" | search [| inputlookup Mylookup.csv | rename LUFieldA as fieldA | table fieldA | format ] | table fieldA fieldB fieldC

thanks for the answer 🙂

0 Karma
Highlighted

Re: input lookup get values for the lookup only

Influencer

It should still work without the explicit | search command.

0 Karma
Highlighted

Re: input lookup get values for the lookup only

Communicator

Hi Chandras11

I don't know if I fully understand your question buuuuut I think what you need is:

index= "index1" sourcetype="ST1"
| search
[| inputlookup Mylookup.csv
| rename LUFieldA as fieldA
| fields FieldA]
| table fieldA, fieldB, fieldC

This will show you only the values (and all your tabled fields) that are in the lookup. If you wanted to exclude everything in the lookup from appearing in your search, you could use "| search NOT" instead of "| search"

Hope this helps.

View solution in original post

Highlighted

Re: input lookup get values for the lookup only

Communicator

thanks, thats what I was looking for. 🙂 I need to find the values from Mylookup.csv to ndex= "index1" sourcetype="ST1".

thanks a lot.

0 Karma