Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me to create a join in a lookup file?

kingwaras
Engager
‎12-11-2018 04:05 AM

Hi all,

I need your help.
I created a lookup file (hierarchy_lookup.csv) with this layout

alt text

I would like to create a dashboard that, in the multiselect list view, the EnterpriseID presents in the lookup file that has a common field (Scope, Module) of the current user logged into Splunk.

In my case for example (line 4 & 5), I have two module (DWH and BW). I need to view all EnterpriseID that have my same Module and Scope.
I have tried to generate the query, but it is not working very well.

| inputlookup hierarchy_lookup.csv
|  where [| rest /services/authentication/current-context 
                      | table username
                      | rename username as EnterpriseID]
| fields Scope, Module, EnterpriseID
| join Scope, Module type=inner [
      | inputlookup hierarchy_lookup.csv
      | stats count by Scope,Module
  ]

alt text

In this case, I would like that my query return

[SCOPE] ; [MODULE] ; [ENTERPRISEID] ; [COUNT]
Logistica ; DWH ; myEnterpriseID (line 4 of lookup) ; 1
Logistica ; BW ; myEnterpriseID (line 5 of lookup) ;1
Logistica ; BW ;EnterpriseID (line 3 of lookup) ; 1
Logistica ; BW ;EnterpriseID (line 6 of lookup) ; 1
Logistica ; DWH ;EnterpriseID (line 7 of lookup) ; 1

I hope I have explained my problem well.
Thanks in advance.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmarling
Builder
‎12-12-2018 06:07 AM

Without having an equivalent lookup to play with, I found a couple syntax issues with the first part of search you wrote. Can you give this a try to see if this produces the same table as your first screen shot?

| inputlookup hierarchy_lookup.csv 
| where 
    [| rest /services/authentication/current-context 
    | where username!="splunk-system-user" 
    | rename username as EnterpriseID 
    | table EnterpriseID 
    | format] 
| fields Scope, Module, EnterpriseID 
| join Scope, Module type=inner 
    [| inputlookup hierarchy_lookup.csv 
    | stats count by Scope,Module]

As for the second part, the request is to have a table automatically display the same scope and model for all users that share the Scope and Module as that user. I believe the below search would accomplish that to produce the table you listed out:

| inputlookup hierarchy_lookup.csv 
| where 
    [| inputlookup hierarchy_lookup.csv 
    | where 
        [| rest /services/authentication/current-context 
        | where username!="splunk-system-user" 
        | rename username as EnterpriseID 
        | table EnterpriseID 
        | format] 
    | table Scope Module 
    | format] 
| fields Scope, Module, EnterpriseID 
| join Scope, Module, EnterpriseID type=inner 
    [| inputlookup hierarchy_lookup.csv 
    | stats count by Scope Module EnterpriseID]
If this comment/answer was helpful, please up vote it. Thank you.

View solution in original post

Reply
Solved! Jump to solution
Solution

dmarling
Builder
‎12-12-2018 06:07 AM

Without having an equivalent lookup to play with, I found a couple syntax issues with the first part of search you wrote. Can you give this a try to see if this produces the same table as your first screen shot?

| inputlookup hierarchy_lookup.csv 
| where 
    [| rest /services/authentication/current-context 
    | where username!="splunk-system-user" 
    | rename username as EnterpriseID 
    | table EnterpriseID 
    | format] 
| fields Scope, Module, EnterpriseID 
| join Scope, Module type=inner 
    [| inputlookup hierarchy_lookup.csv 
    | stats count by Scope,Module]

As for the second part, the request is to have a table automatically display the same scope and model for all users that share the Scope and Module as that user. I believe the below search would accomplish that to produce the table you listed out:

| inputlookup hierarchy_lookup.csv 
| where 
    [| inputlookup hierarchy_lookup.csv 
    | where 
        [| rest /services/authentication/current-context 
        | where username!="splunk-system-user" 
        | rename username as EnterpriseID 
        | table EnterpriseID 
        | format] 
    | table Scope Module 
    | format] 
| fields Scope, Module, EnterpriseID 
| join Scope, Module, EnterpriseID type=inner 
    [| inputlookup hierarchy_lookup.csv 
    | stats count by Scope Module EnterpriseID]
If this comment/answer was helpful, please up vote it. Thank you.
Reply
Solved! Jump to solution

dmarling
Builder
‎12-11-2018 12:26 PM

I have moved this from a comment to an answer. Please accept the answer when you get a moment. Thank you!

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

kingwaras
Engager
‎12-12-2018 01:09 AM

Hi @dmarling,
you can convert this to an answer... It's working very well!!

Thank you so much for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...