Splunk Search

How to add lookups that don't have matching fields on the log entries

sa_splunk
New Member

Let's say I have log entries as follows:

  • sourcetype-syslog: time, event_id, host

I want to be able to incorporate two tables that have the following data:

  • CITY_TABLE: host, city

  • STATE_TABLE: city, state

How would I be able to add CITY_TABLE and STATE_TABLE to splunk in order to obtain search results that will provide: time, event_id, host, city, state?

The problem I am having is I don't know how to get the STATE_TABLE into Splunk and to include it in my search. For example, when adding STATE_TABLE as a lookup, it asks what I field in STATE_TABLE maps to in the logs (ie we have the choice of using host, sourcetype, etc), but STATE_TABLE doesn't have those fields.

Tags (3)
0 Karma
1 Solution

Ayn
Legend

Can't you just chain your lookups?

... | lookup CITY_TABLE host OUTPUT city | lookup STATE_TABLE city OUTPUT state

View solution in original post

Ayn
Legend

Can't you just chain your lookups?

... | lookup CITY_TABLE host OUTPUT city | lookup STATE_TABLE city OUTPUT state

sa_splunk
New Member

Thanks! This worked.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...