Splunk Search

Using two seperate inputlookups

samwatson45
Path Finder

I have two files which I have uploaded into Splunk, and both work as intended.
One is a detailed file containing peoples names, along with other information.
The second is a specific list of names of people I am interested in looking at from the first file.

I know I can import files into my searches with
| inputlookup file.csv | The rest of the search

But when I try to input two lookups I get an error.
What is the easiest way to do this?

Tags (1)
0 Karma
1 Solution

493669
Super Champion

Try this:

|inputlookup file.csv|join <common fieldname i.e. people name> [|inputlookup file2.csv]

here join with second lookup using common fieldname as in your case it is people_name field

View solution in original post

elliotproebstel
Champion

Based on what you've said in comments above, I believe this is the search structure you're looking for. I'll reference the file containing the logs you want to search as events_log.csv and the file containing the list of people as people.csv. This also assumes you have a column in people.csv called people_name, and that the logs in events_log.csv also contain a field called people_name.

| inputlookup events_log.csv where
 [ | inputlookup people.csv 
   | fields people_name ]

If the events_log.csv file names the field differently, then you'll need to a rename command inside the subsearch to make the field names align.

samwatson45
Path Finder

Thanks!
The problem has been solved now but your method works 🙂

0 Karma

elliotproebstel
Champion

Great. As an FYI, you should not use a join for searches like this if you can possibly avoid it. As data sizes grow, join will consume a lot of resources and will often have silent failures that will be a pain to diagnose. There will likely be times you can't avoid using a join in your search, but it's strongly recommended that you avoid them when possible.

0 Karma

samwatson45
Path Finder

Cool, useful to know, thanks!

0 Karma

493669
Super Champion

Try this:

|inputlookup file.csv|join <common fieldname i.e. people name> [|inputlookup file2.csv]

here join with second lookup using common fieldname as in your case it is people_name field

samwatson45
Path Finder

Maybe I should have been more clear, this simply added on the second file to the first.

The first file is one I want to do the searching on, the second file contains a list of people I want to be searching again. Essentially it is an easier way rather than writing (person=A OR person=B....) in every search and also means it can easily be updated.
So I essentially want to query the second file against the first.

0 Karma

493669
Super Champion

join will not append/add two files instead it will match using common fields .
for ex.
file1.csv

people_name        column2
A                         2
B                         3

file2.csv

people_name                   column3
A                           25
B                           88

and now join will give output as

people_name  column2                 column3
A                  2                   25
B                  3                   88
0 Karma

samwatson45
Path Finder

Mine came out in the format

file1.csv

people_name column2
A 2
B 3

file2.csv

people_name

A

B

output

people_name people_name column2

A A 2

A B 3

0 Karma

493669
Super Champion

could you provide what query you have tried?

0 Karma

samwatson45
Path Finder

Ah, I now see that I had the part of the search string entered wrongly, my mistake.
This method works great, thanks for your help 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...