Can you perform an automatic lookup based on the o...

chris2416 · ‎01-21-2015

I have an automatic database lookup that I'm using to pull in data on values that may change over time within my DB. The initial table has a unique index and I am able to link the second table through a db lookup and see the fields within Splunk however many of the fields have cryptic values that are described in another table that I would also like to use as an automatic db lookup. When I try to run a second automatic db lookup that uses the values from the first lookup as input nothing appears in Splunk.

Is there anyway to do linked automatic lookups so that the output of one automatic lookup is the input to another or are you only able to run lookups based on data you've indexed into Splunk?

I should specify that I am able to perform the second lookup using the lookup command at search time however nothing comes back when I enter it as an automatic lookup.

Thanks!

delink · ‎08-26-2016

You might want to consider writing a more complicated SQL query to do all of those joins on the backend, then present only the individual fields that you care about from the joined SQL results by narrowing down what you include in the SELECT statement.

wpreston · ‎01-21-2015

Yes, you can use the output of one lookup as an input to another lookup in an automatic lookup. I have this set up and working on my system. Splunk processes your lookup files in alphabetical order by the name of the lookup. You need to ensure that the file containing the field that will be used as an input to another automatic lookup is processed BEFORE the automatic lookup that needs that field. So, if the_first_lookup outputs a field that is needed for a_later_lookup to work, I need to rename a_later_lookup so that it will be processed AFTER the_first_lookup, such as zz_a_later_lookup.

parteek_accentu · ‎04-15-2019

hi .. i am also using this approach to use lookup-1 and lookup-2 class names so that output of lookup-1 can be used in lookup-2 but it is not working i am using 7.03 version
kindly help

chris2416 · ‎01-23-2015

I'm still having trouble with this, I'm wonder if the fact that it's a db lookup as opposed to a file lookup it may have something to do with it?

Here's an example of what I've tried:
Initial data has a field/values of ID=3 and NameID=20
First lookup goes to the db and finds ID AS ID to lookup NameID AS NewNameID and find the value (I realize this is redundant and I didn't need to import NameID in the first place if I'm looking it up but I already have the data imported so I left it as is. I have to do a lookup in this situation because the value NameID may change over time while the index remains the same).
Second lookup goes to the db and finds NewNameID=NewNameID OUTPUT ActualName AS ActualName

I know each lookup works standalone but once I add the first lookup the second wont produce anything and I've made sure that the names are alphabetically in correct. I also know that the lookups work when I deliberately lookup specific values without the use of the Automatic Lookup.

wpreston · ‎01-26-2015

I don't think the one lookup being a DB lookup should affect it, my first lookup is a DB lookup and the second lookup is a file based lookup that chains off of it. Can you post the relevant parts of your transforms.confand props.conffiles?

sgundeti · ‎01-21-2015

Try as below..

base search | lookup "first-lookup.csv" field1 as field-from-splunk OUTPUT output-field as output-field | lookup "second_lookup.csv" field-in-2ndcsv as output-field OUTPUT final-field-from-2ndCsv as Final_output_field

here "output-field" from first lookup and "output-field" in second lookup should match.

chris2416 · ‎01-21-2015

Thanks sgundeti, I'm not sure I was able to put my update in before your response.

I have been able to do what you mentioned above, the trouble I'm having is setting both lookups up as automated lookups. I have several tables that I need to perform lookups on and would like to try and avoid having a large search string that is primarily listing the input/output lookups for every query I perform.

sgundeti · ‎01-21-2015

not sure if it works, but did you try to use eval with case or if statements

chris2416 · ‎01-21-2015

I'm not sure using eval will help, I'm assuming that you mean to use eval so that the second automatic lookup will be executed only if the value from the first is produced? However, in my case there is always a value associated with each of the lookup tables. I'm wondering if there is some place to set the precedence in which each automatic lookup is executed so that I can be sure the first automatic lookup is complete prior to the second one executing..

Can you perform an automatic lookup based on the output of another automatic lookup?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!