first search:
index=prod |table assetId,SIZE,FORMAT,_time,processingHint |where assetId!="null"|outputlookup assetId_format_time.csv
second search
index =prod host=* [| inputlookup assetId_format_time.csv | fields+ assetId] | table assetId,clientId,mime,UserClientId,FORMAT,SIZE,_time,processingHint
but in second search results only clientId,mime,UserClientId should be from second search, and assetId,FORMAT,SIZE,_time,processingHint should be from the inputlookup table.
Try the join
command, like this
index =prod host=* | join assedId [| inputlookup assetId_format_time.csv ] | table assetId,clientId,mime,UserClientId,FORMAT,SIZE,_time,processingHint
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join
I have tried the join command but results are not which i require.
What i require is that clientId,mime,UserClientId should get appended to matching assetId values in the table assetId_format_time.csv the table contains 4 columns including assetId column. resulting into a table which has total of 7 columns.
Thanks