Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search variable field text values in lookup against field text values in actual data?

20065945
Explorer
‎09-09-2014 08:00 AM

I have created a lookup table with name simple.csv
The lookup table has fields as

Text, Name

Launched application: Automatic Registration, Automatic Registration

Launched application: Bone Mineral Density, Bone Mineral Density

Launched application: Comp. Cardiac, Comp. Cardiac

The Text value in the data is actually as
Launched application: Bone Mineral Density, PID 345 or
Launched application: Bone Mineral Density, PID 941 or
Launched application: Comp. Cardiac, now start or
Launched application: Comp. Cardiac, now stop

What i want is that it should search the specified Text as mentioned in the search and should fetch the Name specified against it from the Lookup table and give the desired Name in the table
i.e. the value in Text field of the lookup table has some part of Text that is to be matched with the Text in the actual data. Since both the fields are not having the same values i am not getting the required result.

while searching I am using

sourcetype=philips_client_logs Text="Launched application: Automatic Registration"|table Text|join[inputlookup simple.csv]*

kindly suggest what to do .
Thanks in advance.

Tags (3)
0 Karma
Reply

ngatchasandra
Builder
‎12-17-2014 05:23 AM

If the both fields text have not the same values in your actual data and your table lookup, it’s very normal that you don’t have the required results,because, to join both (your actual data with your simple.csv), it very necessary that the field “Text” of your actual data have all his values in the field “Text” of simple.csv file because this field is use as joint point of two file.

Thus, to search sourcetype=philips_client_logs Text="Launched application: Automatic Registration"|table Text|join[inputlookup simple.csv], its necessary that we have this value of “Text” in simple.csv.
My test display like follow:

1- verify if Text="Launched application: Automatic Registration" is locate in your simple.csv, because, when I run the search string with your data, index=business Text="Launched application: Automatic Registration"|table Text|join[inputlookup simple.csv] i get “no results found”. This is because this value of Text is not within the simple.csv file.

2- Finally, I run the search index=business Text="Launched application: Comp. Cardiac"|table Text|join [inputlookup simple.csv], I get the Name that match to value of “Text” like follow:

                  Text                               Name
                Launched application: Comp. Cardiac Comp. Cardiac
                Launched application: Comp. Cardiac Comp. Cardiac
0 Karma
Reply

ngatchasandra
Builder
‎12-17-2014 04:18 AM

do you obtain "no results found" or a results that is not required? Since when i run your search i get "no" results found, but i going to reply you

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...