I have a lookup table, and then I added another field to the table (csv)
The original table contained some of the following:
user_id, name, company
I have now added the manager_user_id to the table (csv)
user_id, name, company, manager_user_id
I have an automatic lookup that links user=user_id, so when I perform a search the following fields show up:
name, company, etc...
The manager_user_id will can also be matched to the user_id
What I want to do is perform a lookup of the manager_user_id against the table where manager_user_id = user_id to enrich my data.
I would love to have an automatic lookup, but I am unsure what might happen with the fields from the automatic lookup where user=user_id
So, in my case, manager_user_id and user = a field in the table called user_id
You could try it - I think the real question is whether you can automatically lookup based on a field obtained from a lookup. In other words, can lookups be recursive?
I'm not sure if the automatic lookup will work, but a manual lookup will work:
... | lookup user_lookup manager_user_id as user_id OUTPUT name as manager_name manager_user_id as managers_manager
and you could put this in a macro called lookup_manager so that you would only have to type
... | `lookup_manager` | ...
BTW, my example assumes that you named the lookup user_lookup.
Is it possible to do a lookup in the same way that you do it as a SUMIFS equation in Excel. I understand that this is not an answer, but I was wondering if Splunk data can be approached that way?