I have a lookup test_lookup with 2 fields a1 and b1. The field a1 is common with the fields in the raw data.
the values of field a1 and b1 are as follows:
a1 a2
a 1
a 2
b 3
b 4
What would be the o/p of the command ....| lookup test_lookup a1 OUTPUT a2?
hmm, I was asked this question in the Splunk interview today and was confused. So, the search would give an error or search won't work?
Hi @phularah,
usually you don't have any result in the OUTPUTTED fields when a key is duplicated, instead you should have the correlation for unique keys.
In your example youshuldn't have any value for a2 because a1 are both duplicated, if you have only one "c" value dor a1, you should have the related a2 value.
Ciao.
Giuseppe
Hi @phularah,
yes this is the correct syntax, but the problem is that you have more than one value for a1, so the lookup command doesn't know which value must be associated.
You should use a unique value field as key.
Ciao.
Giuseppe