- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search variable field text values in lookup...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search variable field text values in lookup against field text values in actual data?
I have created a lookup table with name simple.csv
The lookup table has fields as
Text, Name
Launched application: Automatic Registration, Automatic Registration
Launched application: Bone Mineral Density, Bone Mineral Density
Launched application: Comp. Cardiac, Comp. Cardiac
The Text value in the data is actually as
Launched application: Bone Mineral Density, PID 345 or
Launched application: Bone Mineral Density, PID 941 or
Launched application: Comp. Cardiac, now start or
Launched application: Comp. Cardiac, now stop
What i want is that it should search the specified Text as mentioned in the search and should fetch the Name specified against it from the Lookup table and give the desired Name in the table
i.e. the value in Text field of the lookup table has some part of Text that is to be matched with the Text in the actual data. Since both the fields are not having the same values i am not getting the required result.
while searching I am using
sourcetype=philips_client_logs Text="Launched application: Automatic Registration"|table Text|join[inputlookup simple.csv]*
kindly suggest what to do .
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the both fields text have not the same values in your actual data and your table lookup, it’s very normal that you don’t have the required results,because, to join both (your actual data with your simple.csv), it very necessary that the field “Text” of your actual data have all his values in the field “Text” of simple.csv file because this field is use as joint point of two file.
Thus, to search sourcetype=philips_client_logs Text="Launched application: Automatic Registration"|table Text|join[inputlookup simple.csv], its necessary that we have this value of “Text” in simple.csv.
My test display like follow:
1- verify if Text="Launched application: Automatic Registration" is locate in your simple.csv, because, when I run the search string with your data, index=business Text="Launched application: Automatic Registration"|table Text|join[inputlookup simple.csv] i get “no results found”. This is because this value of Text is not within the simple.csv file.
2- Finally, I run the search index=business Text="Launched application: Comp. Cardiac"|table Text|join [inputlookup simple.csv], I get the Name that match to value of “Text” like follow:
Text Name
Launched application: Comp. Cardiac Comp. Cardiac
Launched application: Comp. Cardiac Comp. Cardiac
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do you obtain "no results found" or a results that is not required? Since when i run your search i get "no" results found, but i going to reply you
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
