- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you get an automatic lookup file to coalesc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you get an automatic lookup file to coalesce with an existing field?
Hi All,
I have looked around on the community but I am unable to find anything that matches what I'm looking for, so apologies if this has already been asked somewhere.
I am trying to figure out how to do an automatic lookup in Splunk where the field already exists, and I just want to append an additional field into an existing field for things that match.
For example, I have a CSV called Exclusions.csv
ID Computer STATUS
1 X EXCLUDED
2 Y EXCLUDED
3 Z EXCLUDED
4 B EXCLUDED
In my index there are already fields called ID, Computer and STATUS.
I want to create an automatic lookup which matches ID and Computer and if they do match output EXCLUDED into the STATUS field.
I have done this. However, the problem that I am having is that, if nothing matches in the lookup, the STATUS field for the existing data disappears.
Has anyone experienced this problem before?
Any help would be great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@abbam,
If your field name in the event and the field name in the lookup table is same, then the output option overwrites the matching fields. You could try by aliasing the output field to a new field using AS
For e.g. your search |lookup lookup_name ID,Computer OUTPUT STATUS as NEW_STATUS|eval STATUS=coalesce(NEW_STATUS,STATUS)
Run anywhere example
|inputlookup geo_attr_us_states.csv|table state_fips,state_name,state_code|head 10
|lookup states.csv state_fips,state_name OUTPUT state_code as state_code_new|eval state_code=coalesce(state_code_new,state_code)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith.nair
I have tried this already but it seems messy, is there anyway to do the colesce automatically?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You you want to always overwrite the values of existing data-field STATUS if the ID and computer field matches, and do not want to overwrite where there is no match?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 yes exactly but it has to be through automatic lookup.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
