Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

join two lookup tables

awedmondson
Explorer
‎01-15-2014 07:08 AM

Hi,
I have two lookup tables created by a search with outputlookup command ,as:
table_1.csv with fields _time, A,B
table_2.csv with fields _time, A,C

I can use [|inputlookup table_1 ] and call the csv file ok.

I need to somehow join the two tables to get _time, A,B,C
NOTE: the common field in A

One fly in the ointment is that field A is not exclusive, by that I mean that it appears more than once in both tables, but within 30 seconds in both tables. So the time I need it to join is within A appearing within a 30s span of each other.

I need to join to be as one event (one line on the outputed csv file)

Then output to csv for a report which is scheduled daily.
thanks

Tags (2)
0 Karma
Reply

Michael
Contributor
‎08-12-2019 09:53 AM

Easy peazy, I needed to include three tables and simply used:

| inputlookup table1.csv | inputlookup append=true table2.csv | inputlookup append=true table3.csv

Reply

jeandez
Explorer
‎04-04-2014 02:07 AM

hi ,
just to share something i was looking for.
i had two lookups A and B with one field .and i wanted to know if value in lookup A was in lookup B.
so i rename the field by the same name 'c' (in the both lookups). i applied this search and i found what i wanted : |inputlookup A |join c [inputlookup B].

0 Karma
Reply

Lowell
Super Champion
‎01-15-2014 07:26 AM

If your lookup tables have time, then it's possible that they should be indexed events and not lookup tables. In which case it would be possible to use the transaction command to issue the time restrictions you are looking for. This is still technically possible but a bit more awkward.

Try something like this:

| intputlookup table_1 | sort - _time | transaction A maxspan=30s | lookup table_2 A OUTPUT C | table _time, A, B, C

This assumes that the correct max_matches setting for the definition of table_2. However, the date effectivity of the lookup will be dependent on on proper settings for time_field,
time_format, max_offset_secs, and min_offset_secs. See the docs for transforms.conf for more details.

Another approach could be something like this:

| intputlookup table_1 | inputlookup append=t table_2 | sort - _time | transaction A maxpause=30s | table _time, A, B, C
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...