- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- I am using a lookup table and I only want the resu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lookup Down.csv node AS host, BBB AS Circuit
Table host,Circuit,msg,_time,node, BBB
I only want events to hit the table that have a match from the lookup.
Currently I am getting all events and the ones that do match have the fields populated with data and the other events are in the table with blanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition to the approach suggested by @mayurr98, there is also the option of using the fields in the lookup table as input into the base search to limit the result set to events that have corresponding entries in the lookup table. Here's how to do that:
your base search [ | inputlookup Down.csv | fields node BBB | format ]
Note that there is no | between your base search and the subsearch. What will come out of the subsearch will look like this:
((node="value1" AND BBB="val1") OR (node="value2" AND BBB="val2") OR (node="value3" AND BBB="val3")...)
With this approach, the base search will filter down to only events that have corresponding entries in the lookup file. If you still need to lookup the events in your lookup file to OUTPUT values from other columns in the csv, you can append the lookup as usual after the base search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for all the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad we found you two working solutions!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for all the input. I am using the isnotnull option after the lookup, but I was hoping to use the lookup table as a filter.
My base search results need to be filtered by 2 fields in the lookup table. If they match then I need only the raw events that match and add some data from the lookup table to the raw events that are left over.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's exactly what my answer below enables you to do. Have you tried it? If it's not working as you expected, I can help you troubleshoot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition to the approach suggested by @mayurr98, there is also the option of using the fields in the lookup table as input into the base search to limit the result set to events that have corresponding entries in the lookup table. Here's how to do that:
your base search [ | inputlookup Down.csv | fields node BBB | format ]
Note that there is no | between your base search and the subsearch. What will come out of the subsearch will look like this:
((node="value1" AND BBB="val1") OR (node="value2" AND BBB="val2") OR (node="value3" AND BBB="val3")...)
With this approach, the base search will filter down to only events that have corresponding entries in the lookup file. If you still need to lookup the events in your lookup file to OUTPUT values from other columns in the csv, you can append the lookup as usual after the base search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to save search processing time and if you want it run fast. I would suggest you to add one more column in csv say marker and put value 1 in that for every row.
Then run below search
lookup Down.csv node AS host, BBB AS Circuit
OUTPUT marker | search marker=* | Table host,Circuit,msg,_time,node, BBB
This will give your only common values between lookup and raw data...if you already have something in lookup file which is not in raw data then you can OUTPUT that field to raw data and then search for that field which will give you only match events .
Let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's actually no good reason to add another field into the lookup, assuming there already exists any column in the lookup table that is populated for every row. In fact, you will always know for sure that the fields node and BBB will exist, so you could just as easily do this without modifying the lookup table:
<your search>
| lookup Down.csv node AS host, BBB AS Circuit
| where isnotnull(node)
| Table host,Circuit,msg,_time,node, BBB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works also
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can use join command...if you can provide sample events then i can helpwith query
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
