Splunk Enterprise

How to create a search that will compare results from search with lookup?

bosseres
Communicator

Hello everyone!

I have in search results table like A=1, B=1, C=3

I have lookup like

Type A B C
server1 1 1 4
server2 1 1 5
server3 1 1 6

 

I need to make search, that will compare results from my search with lookup and if enough one value in appropriate column is equal, than column is true, if not - false.

For example, A=1, server1, server2 and server3 = 1 in column A, i need result A=true. B - same. But in column C there is no "3" so C is false. Help me please.

Labels (2)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Each column will have to be tested separately using separate lookups.

| lookup mylookup.csv A OUTPUT Type
| eval resultA = if(isnull(Type), "false", "true")
| lookup mylookup.csv B OUTPUT Type
| eval resultB = if(isnull(Type), "false", "true")
| lookup mylookup.csv C OUTPUT Type
| eval resultC = if(isnull(Type), "false", "true")
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Each column will have to be tested separately using separate lookups.

| lookup mylookup.csv A OUTPUT Type
| eval resultA = if(isnull(Type), "false", "true")
| lookup mylookup.csv B OUTPUT Type
| eval resultB = if(isnull(Type), "false", "true")
| lookup mylookup.csv C OUTPUT Type
| eval resultC = if(isnull(Type), "false", "true")
---
If this reply helps you, Karma would be appreciated.

bosseres
Communicator

thank you, it works!

is it possible to make comparison in one subsearch? i mean one comparison for all columns (because i have more columns than 3)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you want a separate result for each column then you'll need multiple lookups.  The lookup command has an implicit AND for each input field.  It returns a single result if all of the fields match the same row in the lookup file; otherwise, it returns null.

If this case, you could use

| lookup mylookup.csv A B C OUTPUT Type

and would get a null Type field if C=3.  There would be no way to know, however, which field caused the "false" result.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bosseres
Communicator

I did, not actual

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...