Solved: Report only if exists in external lookup

timmy13 · ‎06-13-2011

I have a very basic lookup defined. Given a UserID in my indexed data, I lookup the name from an external csv file that literally has two fields, UserID and Name.

Is it possible to report on only those records where the UserID exists in the external lookup, and filter out all records where the User ID does not exist?

ftk · ‎06-13-2011

you could do something like the following:

"your search terms" | lookup useridlookup UserID OUTPUT Name | search Name=*

View solution in original post

ftk · ‎06-13-2011

you could do something like the following:

"your search terms" | lookup useridlookup UserID OUTPUT Name | search Name=*

Glenn · ‎08-29-2014

You could do, but it's not efficient. There should be a way to use the lookup as a filter on the initial search. Here you have to search for everything and then filter later, depending on how big your total data set is compared to the set defined by your lookup, you could be doing a heck of a lot of extra disk reads.

Report only if exists in external lookup

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor