How do I combine two unrelated inputlookups in the...

timmag · ‎03-15-2018

Say I have one lookup which has various fields like host, source and other stuff. And another lookup which has fields like date, time and other stuff. I want to use these two lookups in the same search where-in I want to exclude the events that are there in second lookup from the first one. (No common fields for the lookups) How can I do that?

MousumiChowdhur · ‎03-15-2018

Hi!

You can use the below query to display the result from both the lookups:

| inputlookup <lookupname> | appendcols [ | inputlookup <lookupname>]

Please let me know what exactly do you need to exclude further.

timmag · ‎03-16-2018

This isn't helping. From the first lookup, say I want to calculate the number of events generated for that day. The second lookup has time say 12:00-13:00 (1 hour) when I don't want the count of that events for that hour. So, I basically want the count of events for the day excluding the time mentioned in the second lookup.

MousumiChowdhur · ‎03-16-2018

There needs to be a common field atleast time field to get the exclusion done.

somesoni2 · ‎03-15-2018

There has to some sort of relationship between those two lookup files based on which you can say an entry is in both lookups. What would be that rule if there are no common fields? Timestamp??

timmag · ‎03-15-2018

I am not going to combine the lookups. I just want to use information from both of these in a single search.

How do I combine two unrelated inputlookups in the same search?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes