Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Conditional Lookup

ashish9433
Communicator
‎01-11-2018 11:25 AM

Hi Team,

This appears to be a complex scenario to me to implement on Splunk

Below is the table i have on Splunk

alt text

In the above table, for check_ids (1.1.10, 1.1.14.... and so on ) there are multiple blank fields and i need to fill the blanks with a information in the lookup and condition.

Below is the lookup file.

alt text

In the lookup file, for each profile what all check_id are present is mentioned.

Here comes the problem statement.

In the first image above i want to fill the blanks to "unknown" if for that respective profile and check_id there is no entry in the lookup table.

For example - In the first row, the profile is "coreos-level-1" and there is blank for "1.1.10", "1.1.14", both these entries are not there in the lookup, so i want to replace blank with "Unknown", whereas if the check_id exists in the lookup then nothing needs to be filled and it can remain blank.

Can anyone help me with a logic to get this done in Splunk?

Tags (3)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-11-2018 11:44 AM

Give this a try

your currrent search giving fields instance, a field for each check_ids and profile
| eval temp=instance."#".profile | fields - instance profile
| untable temp Check_ID Val
| eval Profile=mvindex(split(temp,"#"),1)
| lookup YourLookupTable.csv Check_ID Profile OUTPUT Profile as Val2
| eval Val2=if(isnull(Val2),"Unknown",null())
| eval Val=coalesce(Val,Val2)
| xyseries temp Check_ID Val
| rex field=temp "(?<instance>.+)#(?<profile>.+)" | fields - temp
| table instance * profile

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-11-2018 11:44 AM

Give this a try

your currrent search giving fields instance, a field for each check_ids and profile
| eval temp=instance."#".profile | fields - instance profile
| untable temp Check_ID Val
| eval Profile=mvindex(split(temp,"#"),1)
| lookup YourLookupTable.csv Check_ID Profile OUTPUT Profile as Val2
| eval Val2=if(isnull(Val2),"Unknown",null())
| eval Val=coalesce(Val,Val2)
| xyseries temp Check_ID Val
| rex field=temp "(?<instance>.+)#(?<profile>.+)" | fields - temp
| table instance * profile
Reply
Solved! Jump to solution

ashish9433
Communicator
‎01-12-2018 08:03 AM

This guidance, made me get what i was looking for! Thanks

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎01-11-2018 11:39 AM

How was the top table created? Being in that format definitely complicates your search, so if you instead have access to the data used to create that table it may be easier to start with the raw data instead.

Also, please include these samples in text form, not screenshots. It's very difficult to work with sample data when you have to manually enter it in.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...