How to create Splunk lookup query?

phularah · ‎08-09-2023

I have a lookup test_lookup with 2 fields a1 and b1. The field a1 is common with the fields in the raw data.
the values of field a1 and b1 are as follows:
a1 a2

a 1

a 2

b 3

b 4

What would be the o/p of the command ....| lookup test_lookup a1 OUTPUT a2?

phularah · ‎08-09-2023

hmm, I was asked this question in the Splunk interview today and was confused. So, the search would give an error or search won't work?

gcusello · ‎08-09-2023

Hi @phularah,

usually you don't have any result in the OUTPUTTED fields when a key is duplicated, instead you should have the correlation for unique keys.

In your example youshuldn't have any value for a2 because a1 are both duplicated, if you have only one "c" value dor a1, you should have the related a2 value.

Ciao.

Giuseppe

gcusello · ‎08-09-2023

Hi @phularah,

yes this is the correct syntax, but the problem is that you have more than one value for a1, so the lookup command doesn't know which value must be associated.

You should use a unique value field as key.

Ciao.

Giuseppe

How to create Splunk lookup query?

lookup

stats

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!