Splunk Search

Using field in lookup table to get field in second lookup table

billyhigdon
New Member

Hi All,

I'm new to Splunk and I'm trying to mess around with a few lookup tables that I imported. I have two, let's call them table1.csv and table2.csv. Table1.csv has many columns, however there are two in particular that I'm concerned with; servername (a column of all servers that have the Splunk forwarder installed) and clientcode (a codename that lists the client the server belongs to). Table2.csv has only two columns; email (the email distribution list for that client) and client_code (pretty much a duplicate of clientcode from table1.csv).

Here's what I would like to accomplish. I would like to write up a query that takes a servername within Table1.csv and writes the corresponding clientcode to a variable. I would then like it to take that variable and match it to the client_code column in Table2.csv and from there grabbing the corresponding Email field and putting it to a variable.

What I've written so far is here

| inputlookup Table2.csv | lookup Table2.csv Email | where Client_Code="Client 1"

This seems to combine the two .CSV files into one, and allows me to look up the email address based upon the Client_Code. I can't for the life of me figure out how to extend this so as to have Client_Code automatically fed a string based upon the outcome of another lookup

| inputlookup Table1.csv | lookup Table1.csv clientcode | where servername="Server 1"

Any idea how I can combine these to achieve my objective?

Thank You,
Billy

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

| inputlookup Table1.csv | lookup Table2.csv client_code AS clientcode OUTPUT Email | where clientcode="Client 1" AND servername="Server 1" 

The field name for client code in Table1.cs is clientcode and client_code in Table2.csv, so that lookup command here incorporate that. It will basically populate Email for all the servernames in Table1.csv for which client code exists in Table2.csv. YOu can than add appropriate filters.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...