I have a database search that pulls back a list of ID's for me and I also have a Lookup that has the titles and the IDs that relates to the DB ID's. For example, see the below:
DB table has this ID: 123456
lookup csv has this title and ID: rhubarb and 123456
The DB table has lots of other information in there which is why I need to join them to get more information and I can't find anything similar on Splunk. I have put my test query below but doesn't work so any advice is appreciated
| dbxquery connection="gg" query="SELECT * from idstudio" | rename Id1 as Id2 | join Id1 [search lookup Idslookup.csv]
You need to create a lookup definition on that csv lookup. For that follow this: http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/ConfigureCSVlookups
After you have created a lookup definition, let's say you named it ldslookup,
| dbxquery connection="gg" query="SELECT * from idstudio"
| lookup Id Idslookup OUTPUT <whatever field you want form the lookup>
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
Thanks for the response. I have done this but when i run the query it does not pull anything through from the lookup and only pulls through the db query. I currently have the below:
| dbxquery connection="gg" query="SELECT * from idtable" | eval ParentId2=substr(ParentId , 1, len(ParentId )-3)
| lookup CommunityTitles2 KBID OUTPUT Title
In your lookup you have the column name prior to the lookup which came back with an error message so i swapped it around. Any idea why it is not pulling anything back from the lookup table?