Solved: How to add a new column after lookup match?

cpm003 · ‎05-23-2019

Hi all,
I'm stuck with this i hope somebody can helps me.

I have a csv lookup with following data for search matches on my previous indexed data

Hostname, Vendor,Product, Version
mke001,apache,http_server,2.4.38
Mke003,apache,http_server,2.3.3

I want to add hostname column to following query:

index=main | table Vendor Product Version | search [ | inputlookup inventory.csv | table Vendor Product Version ]

marycordova · ‎05-23-2019

Try this (I forget if you can use multiple values for the matching part of the lookup the This as That part):

index=main
| table Vendor Product Version
| lookup Vendor as Vendor Product as Product Version as Version OUTPUT Hostname

@marycordova

View solution in original post

DavidHourani · ‎05-23-2019

Hi @cpm003,

Check out this answer :
https://answers.splunk.com/answers/135646/lookup-command-multiple-input-fields.html

You can do what you're looking for pretty easily :
Note: The lookup command can accept multiple lookup and local fields and destfields. For example:

lookup <lookup-table-name> <lookup-field1> AS <local-field1>, <lookup-field2> AS <local-field2> OUTPUTNEW <lookup-destfield1> AS <local-destfield1>, <lookup-destfield2> AS <local-destfield2>

So your search should look like this :

index=main | table Vendor Product Version | lookup Vendor,Product,Version  OUTPUT Hostname

Cheers,
David

marycordova · ‎05-23-2019

Try this (I forget if you can use multiple values for the matching part of the lookup the This as That part):

index=main
| table Vendor Product Version
| lookup Vendor as Vendor Product as Product Version as Version OUTPUT Hostname

@marycordova

How to add a new column after lookup match?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!