Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with inputlookup and table

tlmayes
Contributor
‎09-15-2017 05:09 AM

I have a lookup table that has several columns as follows, with no data in the "Manager" column:

alt text

I have an index that has two fields of interest: IP, Manager. The field IP in the index will be the same as that in the lookup table. What I need to accomplish is:
1. Query the index for all instances where the IP in the lookup table is found also in the index
2. Populate the lookup table column "Manager" with the field data found from the query above, in the appropriate row based on IP relationship

Hope somebody can help

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-15-2017 05:22 AM 
| inputlookup yourlookuo
| join IP type=inner [ search index=yourindex Manager=* IP=* ]
| table HOSTNAME Manager IP SUBNET ... 
| outputlookup yourLookup

This will only get events from yourindex where Manager and IP fields exist, and join them to the lookup, only keeping events that join to the lookup's IP field.

You will need your field names to match on both sides so if the field is called ipAddr in yourindex, you will want to use '| rename ipAddr as IP' in the join.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-15-2017 05:22 AM 
| inputlookup yourlookuo
| join IP type=inner [ search index=yourindex Manager=* IP=* ]
| table HOSTNAME Manager IP SUBNET ... 
| outputlookup yourLookup

This will only get events from yourindex where Manager and IP fields exist, and join them to the lookup, only keeping events that join to the lookup's IP field.

You will need your field names to match on both sides so if the field is called ipAddr in yourindex, you will want to use '| rename ipAddr as IP' in the join.

0 Karma
Reply
Solved! Jump to solution

tlmayes
Contributor
‎09-15-2017 05:47 AM

One point I left out, not all IP's in the lookup table will match an IP in the index. For example, the lookup table has 1000 records, but only 40 matches between the two sources. Using this query, the lookup table is replaced with 40 matches, removing the 960 unmatched IP's. If I use "append=t", the matched records are ADDED to the list of 1000.

What I am hoping for is that the outcome is that I end up with the same 1000 entries in the lookup table, but with only 40 of them having an entry in the column "Manager". An update, not a replace or append.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎09-15-2017 05:57 AM

Ok change type=inner to type=outer.

0 Karma
Reply
Solved! Jump to solution

tlmayes
Contributor
‎09-15-2017 06:19 AM

That did it... Thanks very much

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...