Solved: Re: How to compare to a lookup table and pull fiel...

mgrosholz · ‎05-09-2017

I have an index=foo and a lookup table defined as foo2. How can I compare my index to the table to show only results matching fieldA in foo2 and pulling fieldB from foo2?

I have tried below and many variations of it but I get no results.

index=foo
[| inputlookup foo2 | fields fieldA]

index=foo
| lookup foo2 fieldA OUTPUT fieldB

chrishartsock · ‎05-09-2017

Ultimately, you should be able to do:

index=foo
| lookup foo2 fieldA AS fieldA_name_in_foo OUTPUT fieldB
| where NOT isnull(fieldB)

View solution in original post

chrishartsock · ‎05-09-2017

Ultimately, you should be able to do:

index=foo
| lookup foo2 fieldA AS fieldA_name_in_foo OUTPUT fieldB
| where NOT isnull(fieldB)

mgrosholz · ‎05-09-2017

Why did you add the not null for fieldB?

chrishartsock · ‎05-09-2017

The lookup simply adds fieldB to events in index=foo where fieldA is matched. If fieldA is not matched, the event still shows up, but fieldB is null. Therefore the not isnull fulfills the "show only results matching fieldA in foo2" requirement.

mgrosholz · ‎05-09-2017

Oh, and thanks btw.

chrishartsock · ‎05-09-2017

Is fieldA the same name in foo and foo2?

chrishartsock · ‎05-09-2017

Not necessarily. But since it is different you will need to rename fieldA to what it is in foo:

index=foo
| lookup foo2 fieldA AS fieldA_name_in_foo OUTPUT fieldB

mgrosholz · ‎05-09-2017

I had a typo on my end. It works.

mgrosholz · ‎05-09-2017

Sweet we are getting somewhere! I got the output of fieldB but results are still showing all results of fieldA not just what populates compared to the lookup table. <--does that make sense?

mgrosholz · ‎05-09-2017

No. It is not. Should it be?

How to compare to a lookup table and pull fields?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases