Splunk Search

lookup help


I have a lookup table, and then I added another field to the table (csv)

The original table contained some of the following:

user_id, name, company

I have now added the manager_user_id to the table (csv)

user_id, name, company, manager_user_id

I have an automatic lookup that links user=user_id, so when I perform a search the following fields show up:

name, company, etc...

The manager_user_id will can also be matched to the user_id

What I want to do is perform a lookup of the manager_user_id against the table where manager_user_id = user_id to enrich my data.

I would love to have an automatic lookup, but I am unsure what might happen with the fields from the automatic lookup where user=user_id

So, in my case, manager_user_id and user = a field in the table called user_id

Tags (1)
0 Karma


You could try it - I think the real question is whether you can automatically lookup based on a field obtained from a lookup. In other words, can lookups be recursive?

I'm not sure if the automatic lookup will work, but a manual lookup will work:

 ... | lookup user_lookup manager_user_id as user_id OUTPUT name as manager_name manager_user_id as managers_manager

and you could put this in a macro called lookup_manager so that you would only have to type

 ... | `lookup_manager` | ...

BTW, my example assumes that you named the lookup user_lookup.

0 Karma

New Member

Is it possible to do a lookup in the same way that you do it as a SUMIFS equation in Excel. I understand that this is not an answer, but I was wondering if Splunk data can be approached that way?

0 Karma