Splunk Search

How do you search one lookup field and display another lookup field's information if a matching event occurs?

N92
Path Finder

For example, I have lookup xyz.csv with two fields, A and B.

I want to search for the value of A field. If any match occurs, then the value of the A and B field should be displayed with other information, which is available in raw logs.

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Yes it is possible to have lookups that use the field values from other lookups. Lookups run in sequence from their lexogrphical order. For example, the following will work:

props.conf

[my_sourcetype]
LOOKUP-a = lookup-a host OUTPUTNEW fielda fieldb
LOOKUP-b = lookup-b fielda OUTPUTNEW fieldc

Good luck

View solution in original post

woodcock
Esteemed Legend

Like this:

index=YouShouldAlwaysSepcifyAnIndex AND sourcetype=AndSourcetypeToo AND [|inputlookup xyz.csv | table A]
| lookup xyz.csv A OUTPUT B

chrisyounger
SplunkTrust
SplunkTrust

Yes it is possible to have lookups that use the field values from other lookups. Lookups run in sequence from their lexogrphical order. For example, the following will work:

props.conf

[my_sourcetype]
LOOKUP-a = lookup-a host OUTPUTNEW fielda fieldb
LOOKUP-b = lookup-b fielda OUTPUTNEW fieldc

Good luck

xpac
SplunkTrust
SplunkTrust

As this is still a top result for this issue, I'd like to add:
In general, it works.
But - if a lookup is larger than the max_memtable_size in limits.conf (default: 10 MB), it will be indexed to disk. This seems to result in it being applied later - so if the lookup a in the above example is too big, this won't work anymore.
Raising the limit will fix the issue.
Thanks a ton to @starcher for pointing this out to me!

starcher
SplunkTrust
SplunkTrust

the auto lookup feature requires it to be in ram. So if over max_memtable_size it isn't. Normal lookup command in SPL will work. just not "autolookup" in props.

0 Karma

xpac
SplunkTrust
SplunkTrust

So far I can not exactly confirm this. My "not in RAM" auto lookup works, but it seems to be applied AFTER the "in RAM" lookups. In my case, the latter depends on a field from the former, and therefore it fails.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Wow that's interesting and something I didn't know either. Thanks for sharing.

0 Karma

N92
Path Finder

My search is sub search.
For ex.
index=* [|inputlookup xyz.csv | fields A B | rename A as search| format ] | stats count by _raw A B

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...