- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to perform two lookups with same table and two...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having trouble getting this to work. I have a lookup table with 4 columns:
A,B,C,D
=======
1,a,,,
,,2,b
I want to perform 2 lookups in the same query:
search | lookup mylookup.csv A | lookup mylookup.csv C
Should this work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution is to use OUTPUTNEW which looks like it tells Splunk not to overwrite the field.
search | lookup mylookup.csv A OUTPUTNEW B | lookup mylookup.csv C OUTPUTNEW D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution is to use OUTPUTNEW which looks like it tells Splunk not to overwrite the field.
search | lookup mylookup.csv A OUTPUTNEW B | lookup mylookup.csv C OUTPUTNEW D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this answer! It was helpful to realize that using the same output name is overwriting.
I did the following as well to collapse the output fields back into one field.
search
| lookup mylookup.csv A OUTPUTNEW B
| lookup mylookup.csv C OUTPUTNEW D
| lookup mylookup.csv E OUTPUTNEW F
| lookup mylookup.csv G OUTPUTNEW H
| eval allInOneAgain = coalesce(B, D , F ,H)
| fields - B D F H
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wonder if the output of the first lookup do not erase your C field.
see http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Lookup
try
search | lookup mylookup.csv A output B | lookup mylookup.csv C output D
or test to save the result in new fields to verify how the fields get's populated
search | lookup mylookup.csv A output A as firstA B AS firstB C as firstC D as firstD | lookup mylookup.csv C output A as secondA B AS secondB C as second C D as secondD
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it appears that is what is happening. Or the 2nd lookup erases the first. I did come up with a kludgy workaround which is to create 2 lookup files so that there is no trampling.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
