Re: How to find comman value from multiple watchli...

akshayinnamuri · ‎07-13-2022

Hi
below is one of the requirement

I have multiple lookuptable

example

number name lookuptable

1 abc 1stlookuptable

number name lookuptable

1 abc 2ndlookuptable

number name lookuptable

1 dxc 3rdlookuptable

number name lookuptable

1 xyz 4thlookuptable

number name lookuptable

1 abc 5thlookuptable

requirement is how to build query where name=abc (from above example) to shows below table fields stating abc belong to which lookuptable on run

name lookuptable

example out

name lookuptable

abc 1stlookuptable

2ndlookuptable

5thlookuptable

harishalipaka · ‎07-14-2022

@akshayinnamuri

Values - without duplicate , list - with duplicates

| makeresults| eval lookupname="1stlookuptable",name="abc" | table name lookupname
| append [ | makeresults | eval lookupname="2ndlookuptable",name="abc" | table name lookupname ]
| append [ | makeresults | eval lookupname="3rdlookuptable",name="dxc" | table name lookupname ]
| append [ | makeresults| eval lookupname="4thlookuptable",name="xyz" | table name lookupname ]
| append [ | makeresults | eval lookupname="5thlookuptable",name="abc" | table name lookupname ] | stats list(lookupname) AS lookupname BY name

Thanks
Harish

gcusello · ‎07-14-2022

Hi @akshayinnamuri,

please try something like this:

| inputlookup 1stlookuptable | eval lookupname="1stlookuptable" | fields name lookupname
| append [ | inputlookup 2ndlookuptable | eval lookupname="2ndlookuptable" | fields name lookupname ]
| append [ | inputlookup 3rdlookuptable | eval lookupname="3rdlookuptable" | fields name lookupname ]
| append [ | inputlookup 4thlookuptable | eval lookupname="4thlookuptable" | fields name lookupname ]
| append [ | inputlookup 5thlookuptable | eval lookupname="5thlookuptable" | fields name lookupname ]
| stats values(lookupname) AS lookupname BY name

Ciao.

Giuseppe

How to find comman value from multiple watchlist

join

lookup

regex

subsearch

table

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk