Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using a lookup table in a base search

DATT
Path Finder
‎10-03-2024 05:37 PM

I have a lookup table that we update on daily basis with two fields that are relevant here, NAME and ID. 

NAMEID
Toronto765
Toronto1157
Toronto36

 

I need to pull data from an index and filter for these three IDs. Normally I would just do 

<base search> 
| lookup lookup_table ID OUTPUT NAME 
| where NAME = "Toronto"

This works, but the search takes forever since the base search is pulling records from everywhere, and filtering afterward.  I'm wondering if it's possible to do something like this (psuedo code search incoming)

index=<index> ID IN (
    |[inputlookup lookup_table where NAME = "Toronto"])

Basically, I'm trying to save time by not pulling all the records at the beginning and instead filter on a dynamic value that I have to grab from a lookup table. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-03-2024 05:52 PM

This is Splunk.  The answer is always yes:-)  In this case, it's much simpler than you think:

index=<index>
  [inputlookup lookup_table where NAME = "Toronto"
  | fields ID]

 

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

jg91
Path Finder
‎10-03-2024 06:20 PM

Try this one

 

index=<index>
  [inputlookup lookup_table | search NAME = "Toronto"
  | table ID]

 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-03-2024 05:52 PM

This is Splunk.  The answer is always yes:-)  In this case, it's much simpler than you think:

index=<index>
  [inputlookup lookup_table where NAME = "Toronto"
  | fields ID]

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

DATT
Path Finder
‎10-04-2024 09:31 AM

This worked for me!  I'm kind of surprised how close my psuedo search was to the right answer! 

 

I did modify this a little to use `search` instead of `where` so that I could add a dashboard token to this query as well.  

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-04-2024 09:50 AM

You can still use token in that where clause.  In fact, where in an inputlookup uses the same syntax as search term, unlike the where command that requires an eval expression.

0 Karma
Reply
Solved! Jump to solution

jg91
Path Finder
‎10-03-2024 06:19 PM

 

 

I think we should use table instead of fields.

 

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-03-2024 06:43 PM

No difference with inputlookup. fields is usually preferred if working with an index search that fetches actual events.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...