Solved: Re: Compare search field to similar field in looku...

becksyboy · ‎11-01-2017

Hi i'm having trouble trying to to do the following:

I have a search which pulls the event_id, which i would like to compare against the first lookup_file1 [alert_id] which contains a column called alert_id, and in turn list the associated severity values from the next column.

lookup1 = alert_id
(col names)
alert,alert,id,class,severity

I would then like to compare the above results to lookup_file2 [alert_severity] and take the previous severity values and list the severity_message

lookup2 = alert_severity
(col names)
severity,severity_message

Past Attempts:

thanks

gcusello · ‎11-01-2017

Hi becksyboy,
use two times lookup command

index="zsecure_test" 
| fields alert_id
| dedup alert_id 
| lookup alert_id alert_id OUTPUT class severity
| lookup alert_severity severity OUTPUT severity_message 
| table alert_id class severity severity_message

Bye.
Giuseppe

View solution in original post

gcusello · ‎11-01-2017

Hi becksyboy,
use two times lookup command

index="zsecure_test" 
| fields alert_id
| dedup alert_id 
| lookup alert_id alert_id OUTPUT class severity
| lookup alert_severity severity OUTPUT severity_message 
| table alert_id class severity severity_message

Bye.
Giuseppe

becksyboy · ‎11-01-2017

Thanks Giuseppe! works great

Compare search field to similar field in lookup1 then compare to field in lookup2

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!