Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use two lookups for comparison
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mprreddy51
Explorer
06-08-2016
09:54 PM
Hi All,
Here is my requirement:
I have 100 values (abc1,def1,....etc) in lookup1 and 100 values in lookup2 (ABC1,DEF1....etc) and I want to do this with LOOKUPS only, not case or if because of 100's of values in lookup1 and lookup2.
Events:
20140122T100513 EMP MESSAGE=RES COUNTRY=USA ACCNO=1234 TYPE=SET COUNT=0 STATUS=P REASON=ABC1
20140122T100515 EMP MESSAGE=RES COUNTRY=USA ACCNO=1235 TYPE=SET COUNT=1 STATUS=P REASON=abc1
20140122T100516 EMP MESSAGE=RES COUNTRY=USA ACCNO=1236 TYPE=SET COUNT=0 STATUS=P REASON=def1
20140122T100517 EMP MESSAGE=RES COUNTRY=USA ACCNO=1237 TYPE=SET COUNT=1 STATUS=P REASON=DEF1
20140122T100513 EMP MESSAGE=RES COUNTRY=USA ACCNO=1238 TYPE=SET COUNT=0 STATUS=P REASON=ghi1
20140122T100515 EMP MESSAGE=RES COUNTRY=USA ACCNO=1239 TYPE=SET COUNT=1 STATUS=P REASON=KLM1
20140122T100516 EMP MESSAGE=RES COUNTRY=USA ACCNO=1240 TYPE=SET COUNT=0 STATUS=P REASON=OPQ1
20140122T100517 EMP MESSAGE=RES COUNTRY=USA ACCNO=1241 TYPE=SET COUNT=1 STATUS=P REASON=xyz1
lookup1.csv
abc1
def1
ghi1
xyz1
lookup2.csv
ABC1
DEF1
KLM1
OPQ1
Expected output in a table:
ACCNO TYPE STATUS REASON BOX
1234 SET P ABC BOX2
1235 SET P abc BOX1
1236 SET P def BOX1
1237 SET P DEF BOX2
1238 SET P ghi BOX1
1239 SET P KLM BOX2
1240 SET P OPQ BOX2
1241 SET P xyz BOX1
Thanks in advance.
-P
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-09-2016
07:51 AM
Try like this
your base search | lookup lookup1.csv REASON OUTPUTNEW REASON as BOX1 | lookup lookup2.csv REASON OUTPUTNEW REASON as BOX2 | eval BOX=if(isnotnull(BOX1),"BOX1","BOX2") | fields - BOX1 BOX2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-09-2016
07:51 AM
Try like this
your base search | lookup lookup1.csv REASON OUTPUTNEW REASON as BOX1 | lookup lookup2.csv REASON OUTPUTNEW REASON as BOX2 | eval BOX=if(isnotnull(BOX1),"BOX1","BOX2") | fields - BOX1 BOX2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mprreddy51
Explorer
06-09-2016
10:00 AM
@somesoni2
Thanks Somesh.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mprreddy51
Explorer
07-08-2016
12:43 PM
Hi @somesoni2
If i use this query if any REASON comes apart from lookup1 and lookup2 by default it is taking BOX1.In this case it should show "N/A"
for example: If i get this new event with different REASON as shown below.
20150126T100519 EMP MESSAGE=RES COUNTRY=USA ACCNO=1290 TYPE=SET COUNT=1 STATUS=P REASON= ASIA
By defalut it is going to BOX1. It should display N/A
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Raschko
Communicator
07-08-2016
01:11 PM
Try this:
| eval BOX=if(isnull(BOX1),if(isnull(BOX2),"N/A","BOX2"),"BOX1")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mprreddy51
Explorer
07-08-2016
02:49 PM
@Raschko
It is showing all "N/A" only no luck
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Raschko
Communicator
07-08-2016
06:49 PM
Have you put the following after the eval?
| fields - BOX1 BOX2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-08-2016
01:11 PM
Replace | eval BOX=if(isnotnull(BOX1),"BOX1","BOX2") with | eval BOX=coalesce(BOX1,BOX2,"N/A")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mprreddy51
Explorer
06-09-2016
07:34 AM
Any suggestion/idea experts?
Get Updates on the Splunk Community!
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
Introducing the 2024 Splunk MVPs!
We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...
