Solved: How to add lookups that don't have matching fields...

sa_splunk · ‎03-05-2013

Let's say I have log entries as follows:

sourcetype-syslog: time, event_id, host

I want to be able to incorporate two tables that have the following data:

CITY_TABLE: host, city
STATE_TABLE: city, state

How would I be able to add CITY_TABLE and STATE_TABLE to splunk in order to obtain search results that will provide: time, event_id, host, city, state?

The problem I am having is I don't know how to get the STATE_TABLE into Splunk and to include it in my search. For example, when adding STATE_TABLE as a lookup, it asks what I field in STATE_TABLE maps to in the logs (ie we have the choice of using host, sourcetype, etc), but STATE_TABLE doesn't have those fields.

Ayn · ‎03-06-2013

Can't you just chain your lookups?

... | lookup CITY_TABLE host OUTPUT city | lookup STATE_TABLE city OUTPUT state

View solution in original post

Ayn · ‎03-06-2013

Can't you just chain your lookups?

... | lookup CITY_TABLE host OUTPUT city | lookup STATE_TABLE city OUTPUT state

sa_splunk · ‎03-06-2013

Thanks! This worked.

How to add lookups that don't have matching fields on the log entries

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor