I am having trouble getting this to work. I have a lookup table with 4 columns:
A,B,C,D
=======
1,a,,,
,,2,b
I want to perform 2 lookups in the same query:
search | lookup mylookup.csv A | lookup mylookup.csv C
Should this work?
The solution is to use OUTPUTNEW which looks like it tells Splunk not to overwrite the field.
search | lookup mylookup.csv A OUTPUTNEW B | lookup mylookup.csv C OUTPUTNEW D
The solution is to use OUTPUTNEW which looks like it tells Splunk not to overwrite the field.
search | lookup mylookup.csv A OUTPUTNEW B | lookup mylookup.csv C OUTPUTNEW D
Thanks for this answer! It was helpful to realize that using the same output name is overwriting.
I did the following as well to collapse the output fields back into one field.
search
| lookup mylookup.csv A OUTPUTNEW B
| lookup mylookup.csv C OUTPUTNEW D
| lookup mylookup.csv E OUTPUTNEW F
| lookup mylookup.csv G OUTPUTNEW H
| eval allInOneAgain = coalesce(B, D , F ,H)
| fields - B D F H
I wonder if the output of the first lookup do not erase your C field.
see http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Lookup
try
search | lookup mylookup.csv A output B | lookup mylookup.csv C output D
or test to save the result in new fields to verify how the fields get's populated
search | lookup mylookup.csv A output A as firstA B AS firstB C as firstC D as firstD | lookup mylookup.csv C output A as secondA B AS secondB C as second C D as secondD
Yes, it appears that is what is happening. Or the 2nd lookup erases the first. I did come up with a kludgy workaround which is to create 2 lookup files so that there is no trampling.