I have a lookup abc.csv with the following values...
**header1, header2**
value1a, value2a
value1b, value2b
value1c, value2c
value1d, value2d
I have a base query that I need to first filter a fieldX by only values contained in the lookup abc.csv header1 column. I understand that I can do this using something like, "[ | inputlookup abc.csv | fields fieldX]" but there are two problems here...
Once the events are filtered, I need use the same lookup file abc.csv to output a new field with the values in header 2.
Correct me if I'm wrong but I believe i have to do it this way because it won't let me just use the lookup command (and forego inputlookup altogether) as most of the values in fieldX aren't present in header1 and i get this error... ** "Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table" **
I don't say this much, but altogether, it looks like this is a candidate for join
.
"MY SEARCH"
| eval splitField=split(fieldA,"-")
| eval temp=lower(mvindex(splitField,0))
| rex field=temp "service:(?<fieldX>.*)"
| join fieldX [|inputlookup abc.csv | rename header1 as fieldX ]
I don't say this much, but altogether, it looks like this is a candidate for join
.
"MY SEARCH"
| eval splitField=split(fieldA,"-")
| eval temp=lower(mvindex(splitField,0))
| rex field=temp "service:(?<fieldX>.*)"
| join fieldX [|inputlookup abc.csv | rename header1 as fieldX ]
hey that worked, thank you
You get option to rename lookup field names with inputlookup/lookup command use.
E.g. for inputlookup as filter
[ | inputlookup abc.csv | table header1 | rename header1 as fieldX ]
and for lookup
your search | lookup abc.csv header1 as fieldX OUTPUT header2 as newFieldNameThatYouWant
I would suggest reading lookup command documentation to learn more about lookup command, it's syntax and available options.
I'm not sure this will work for me as I don't have fieldX correctly 'configured' until several pipes after the base search query (As follows)...
"MY SEARCH" | eval splitField=split(fieldA,"-") | eval temp=lower(mvindex(splitField,0)) | rex field=temp "service:(?<fieldX>.*)" | ........
If I try to insert the lookup command after the last pipe above I get the following error "Subsearches are only valid as arguments to commands"
Also, does the above inputlookup syntax you mentioned actually filter out filedX values not contained in header1? What does the 'table' portion do, I feel like it is not intuitive after looking through http://docs.splunk.com/Documentation/Splunk/6.3.5/SearchReference/Inputlookup