Solved: Help with a query using an index and a lookup tabl...

pstamati · ‎04-30-2018

Hello!

I have and index with help desk ticket data, Ticket ID, status among other fields. I also have a lookup table with specific Ticket IDs for which I'd like to query the ticket index to get specific fields from it. How can I build that search?

Example:
Index=Tickets
ChangeID Requestor Status
CRQ000001230099 User 1 Open
CRQ000001230100 User 2 Pending
CRQ000001230101 User 3 Close
CRQ000001230102 User 4 Open
CRQ000001230103 User 5 Pending
CRQ000001230104 User 6 Close
CRQ000001230105 User 7 Open
CRQ000001230106 User 8 Pending

Lookup Special Tickets

ChangeID Control
CRQ000001230100 G22
CRQ000001230102 G24
CRQ000001230103 G25
CRQ000001230105 G27

I want to run a search that returns for every ticket ID in the lookup, Requestor and Status fields from the Index.
Can you help me with this?

Thanks in advance for any assistance you can provide

somesoni2 · ‎04-30-2018

Try like this

index=Tickets [| inputlookup YourLooupTableName.csv | table ChangeID ]
| table ChangeID Requestor Status

View solution in original post

macadminrohit · ‎04-30-2018

index=Tickets [ | inputlookup lookup.csv | fields ChangeID ] | table ChangeID Requestor Status

somesoni2 · ‎04-30-2018

Try like this

index=Tickets [| inputlookup YourLooupTableName.csv | table ChangeID ]
| table ChangeID Requestor Status

pstamati · ‎05-01-2018

Many thanks!!

xpac · ‎04-30-2018

Changing the first table to fields should yield the same results, but be faster (with large lookups). 🙂

Help with a query using an index and a lookup table.

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!