How to join a DB search with a lookup.csv?

Sfry1981 · ‎03-20-2018

I have a database search that pulls back a list of ID's for me and I also have a Lookup that has the titles and the IDs that relates to the DB ID's. For example, see the below:

DB table has this ID: 123456
lookup csv has this title and ID: rhubarb and 123456

The DB table has lots of other information in there which is why I need to join them to get more information and I can't find anything similar on Splunk. I have put my test query below but doesn't work so any advice is appreciated

| dbxquery connection="gg" query="SELECT * from idstudio" | rename Id1 as Id2 | join Id1 [search lookup Idslookup.csv]

tiagofbmm · ‎03-20-2018

You need to create a lookup definition on that csv lookup. For that follow this: http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/ConfigureCSVlookups

After you have created a lookup definition, let's say you named it ldslookup,

| dbxquery connection="gg" query="SELECT * from idstudio" 
| lookup Id Idslookup OUTPUT <whatever field you want form the lookup>

tiagofbmm · ‎03-21-2018

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

Sfry1981 · ‎03-21-2018

Thanks for the response. I have done this but when i run the query it does not pull anything through from the lookup and only pulls through the db query. I currently have the below:

| dbxquery connection="gg" query="SELECT * from idtable" | eval ParentId2=substr(ParentId , 1, len(ParentId )-3)
| lookup CommunityTitles2 KBID OUTPUT Title

In your lookup you have the column name prior to the lookup which came back with an error message so i swapped it around. Any idea why it is not pulling anything back from the lookup table?

How to join a DB search with a lookup.csv?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!