Splunk Search

Join 2 lookups match fields

nathanluke86
Communicator

Hello,

I am looking to join 2 lookups and match the field "AccountName" from lookup1 with user field in lookup 2.

I have 269 results in lookup 1 and 250 results in lookup 2.

When I match the fields and join the lookups I lose the 19 results that dont have a match.

How can I do this a keep the 19 results so I can manually update these

TIA

0 Karma
1 Solution

acfecondo75
Path Finder

Hello nathanluke86!

If you want to get the results from both lookups, try something like this:

| inputlookup lookup1.csv
| append
[|inputlookup lookup2.csv]

then to get only one row per user, you could add something like this to the end:

| stats values(*) as * by user

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please tell us more about the problem you are trying to solve so we can help you find a solution.

---
If this reply helps you, Karma would be appreciated.
0 Karma

nathanluke86
Communicator

@richgalloway

basically I want to join two lookups and combine the fields from both by matching on a user field

lookup1 has fields user, ip, mac
lookup2 has fields user, workstation, guid, sid

I want to match the user field and then create a new lookup as below:

lookup with fields user, ip, mac, workstation, guid, sid.

I can join these by using |eval matchfield user but when I do this I lose 19 results from lookup1 as there is no user match in lookup2

lookup1 has 269 users
lookup2 has 250 users (missing 19 users)

I need to create the new lookup but also keep the 19 users that were not matched.

hope that makes sense

0 Karma

acfecondo75
Path Finder

Hello nathanluke86!

If you want to get the results from both lookups, try something like this:

| inputlookup lookup1.csv
| append
[|inputlookup lookup2.csv]

then to get only one row per user, you could add something like this to the end:

| stats values(*) as * by user
0 Karma

nathanluke86
Communicator

Thanks @acfecondo75

used the above but changed append to appendcols

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...