lookup table issues

fresned · ‎07-05-2011

I have a lookup table set up like

lookup table name A1_timer

field_a   filed_b
test1     value1
test2     value2

source A1 looks like

field_A = test1  field_B = foo field_C = bar

I would like my output to look like:

field_A from source A1, field_b from lookup table A1_timer, field_B from source A1, field_C from source A1

source="A1.txt" lookup A1_timer A1_a OUTPUT A1_A A1_timer_b A1_b A1_c

the value in the source file A1.txt in filed A1_a is equal to lookup table A1_timer value A1_timer_a

I'm also getting sourcetype too small on my lookup table

any ideas?

jrwilk01 · ‎07-06-2011

There are some field name inconsistencies between your description and your example...

Based on your description, try this:

source="A1.txt" | lookup A1_timer field_A AS field_a | table field_A field_b field_B field_C

Three separate steps: search, lookup, and formatting.

Are you a member of the Splunk Community?