Solved: how to report based on different lookup tables

pstamati · ‎01-03-2018

Hello!

I have been looking for a way to report or dashboard based on this scenario. I have 3 different lookup tables:
Table 1: Key field IP Address, with field 2, field 3, field 4, etc.
Table 2: Key field IP Address, with field 5, field 6, field 7 etc.
Table 3: Key field IP Address, with field 8, field 9 and field 10.

How can I report/dashboard to show something like:

IP address, field 2, field3, field 4, field5, field6, ....field 10?

Thanks in advance for any assistance you can provide as I have been unsuccessfully trying this for quite so long. These tables are been automatically generated by Splunk grabbing data from different sources so I would avoid the manual process of just manually downloading this and consolidate it 🙂

somesoni2 · ‎01-03-2018

You can do like this

| inputlookup YourLookupTable1.csv  | table IP_ADDRESS field2 field3 field4 
| lookup YourLookupTable2.csv IP_ADDRESS OUTPUT field5 field6 field7
| lookup YourLookupTable3.csv IP_ADDRESS OUTPUT field8 field9 field10

View solution in original post

pstamati · ‎01-03-2018

I found it...sorry, I needed to use AS to match IP Address from Table 1 and Table 2.
Many thanks!!

somesoni2 · ‎01-03-2018

You can do like this

| inputlookup YourLookupTable1.csv  | table IP_ADDRESS field2 field3 field4 
| lookup YourLookupTable2.csv IP_ADDRESS OUTPUT field5 field6 field7
| lookup YourLookupTable3.csv IP_ADDRESS OUTPUT field8 field9 field10

pstamati · ‎01-03-2018

Thanks for your reply. I was just trying what you've suggested. So for a particular IP address, I want to list all the fields in the 3 different lookups I have. Is there any match or Join I need to do to get that?

how to report based on different lookup tables

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability