Splunk Search

How to combine the results of a query to matching fields of a column of an inputlookup csv file?

nikhilhanda
New Member

first search:
index=prod |table assetId,SIZE,FORMAT,_time,processingHint |where assetId!="null"|outputlookup assetId_format_time.csv

second search
index =prod host=* [| inputlookup assetId_format_time.csv | fields+ assetId] | table assetId,clientId,mime,UserClientId,FORMAT,SIZE,_time,processingHint

but in second search results only clientId,mime,UserClientId should be from second search, and assetId,FORMAT,SIZE,_time,processingHint should be from the inputlookup table.

0 Karma

sundareshr
Legend

Try the join command, like this

index =prod host=* | join assedId [| inputlookup assetId_format_time.csv ] | table assetId,clientId,mime,UserClientId,FORMAT,SIZE,_time,processingHint

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

0 Karma

nikhilhanda
New Member

I have tried the join command but results are not which i require.
What i require is that clientId,mime,UserClientId should get appended to matching assetId values in the table assetId_format_time.csv the table contains 4 columns including assetId column. resulting into a table which has total of 7 columns.

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...