Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using a lookup table in a base search

DATT
Path Finder
‎10-03-2024 05:37 PM

I have a lookup table that we update on daily basis with two fields that are relevant here, NAME and ID. 

NAMEID
Toronto765
Toronto1157
Toronto36

 

I need to pull data from an index and filter for these three IDs. Normally I would just do 

<base search> 
| lookup lookup_table ID OUTPUT NAME 
| where NAME = "Toronto"

This works, but the search takes forever since the base search is pulling records from everywhere, and filtering afterward.  I'm wondering if it's possible to do something like this (psuedo code search incoming)

index=<index> ID IN (
    |[inputlookup lookup_table where NAME = "Toronto"])

Basically, I'm trying to save time by not pulling all the records at the beginning and instead filter on a dynamic value that I have to grab from a lookup table. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-03-2024 05:52 PM

This is Splunk.  The answer is always yes:-)  In this case, it's much simpler than you think:

index=<index>
  [inputlookup lookup_table where NAME = "Toronto"
  | fields ID]

 

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

jg91
Path Finder
‎10-03-2024 06:20 PM

Try this one

 

index=<index>
  [inputlookup lookup_table | search NAME = "Toronto"
  | table ID]

 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-03-2024 05:52 PM

This is Splunk.  The answer is always yes:-)  In this case, it's much simpler than you think:

index=<index>
  [inputlookup lookup_table where NAME = "Toronto"
  | fields ID]

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

DATT
Path Finder
‎10-04-2024 09:31 AM

This worked for me!  I'm kind of surprised how close my psuedo search was to the right answer! 

 

I did modify this a little to use `search` instead of `where` so that I could add a dashboard token to this query as well.  

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-04-2024 09:50 AM

You can still use token in that where clause.  In fact, where in an inputlookup uses the same syntax as search term, unlike the where command that requires an eval expression.

0 Karma
Reply
Solved! Jump to solution

jg91
Path Finder
‎10-03-2024 06:19 PM

 

 

I think we should use table instead of fields.

 

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-03-2024 06:43 PM

No difference with inputlookup. fields is usually preferred if working with an index search that fetches actual events.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...