- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a search for lookup to get results i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a search for lookup to get results in single search?
Hi,
I have uploaded a csv file with fields User Name, A, B, C.
First I need to perform lookup with another file with fields 'User Name', 'Person', 'First Name', 'Last Name', 'Complete Name'.
After first lookup, I need to perform lookup with another file with fields 'Person', Email-ID, D, E, F
I need to have search results with User Name, First Name, Complete Name and Email-ID. Can you please help?
I managed to do it with some lookup configuration in settings but when trying to re-create the same, unable to do it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
|inputlookup first.csv
| rename "* *" AS *_*
| eval which="first"
| appendpipe [
|inputlookup second.csv
| rename "* *" AS *_*
| eval which="second" ]
| stats values(*) AS * BY UserName
| appendpipe [
|inputlookup third.csv
| rename "* *" AS *_*
| eval which="third" ]
| stats values(*) AS * dc(which) AS whichCount BY Person
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are 200 records in the main uploaded file, but it is showing 392 records in the table with email-address as null.
source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="USR02"
| eval which="first" | appendpipe [
|inputlookup FullName.csv
|rename "Full Name" as full_name, "First Name" as first_name
|eval which="second" ]
| stats values(*) AS * by "User Name"
| appendpipe [
| inputlookup EmailID.csv
| rename "E-Mail Address" as email-address
| eval which="third" ]
| stats values(*) as * dc(which) AS whichCount BY Person
| table "User Name", email-address
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anam
Hi @vineeth_jain
Were you able to test out @woodcock solution? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field names with spaces are EVIL and hyphens are almost as bad. If something is not the way that it should be, then it is because your field names are not aligned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First csv file has been uploaded as sourcetype using Upload option in 'Add Data' file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, so then it becomes this:
index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcetypeToo
| eval which="first"
| appendpipe [
|inputlookup second.csv
| rename "* *" AS *_*
| eval which="second" ]
| stats values(*) AS * BY UserName
| appendpipe [
|inputlookup third.csv
| rename "* *" AS *_*
| eval which="third" ]
| stats values(*) AS * dc(which) AS whichCount BY Person
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
