Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search variable field text values in lookup against field text values in actual data?

20065945
Explorer
‎09-09-2014 08:00 AM

I have created a lookup table with name simple.csv
The lookup table has fields as

Text, Name

Launched application: Automatic Registration, Automatic Registration

Launched application: Bone Mineral Density, Bone Mineral Density

Launched application: Comp. Cardiac, Comp. Cardiac

The Text value in the data is actually as
Launched application: Bone Mineral Density, PID 345 or
Launched application: Bone Mineral Density, PID 941 or
Launched application: Comp. Cardiac, now start or
Launched application: Comp. Cardiac, now stop

What i want is that it should search the specified Text as mentioned in the search and should fetch the Name specified against it from the Lookup table and give the desired Name in the table
i.e. the value in Text field of the lookup table has some part of Text that is to be matched with the Text in the actual data. Since both the fields are not having the same values i am not getting the required result.

while searching I am using

sourcetype=philips_client_logs Text="Launched application: Automatic Registration"|table Text|join[inputlookup simple.csv]*

kindly suggest what to do .
Thanks in advance.

Tags (3)
0 Karma
Reply

ngatchasandra
Builder
‎12-17-2014 05:23 AM

If the both fields text have not the same values in your actual data and your table lookup, it’s very normal that you don’t have the required results,because, to join both (your actual data with your simple.csv), it very necessary that the field “Text” of your actual data have all his values in the field “Text” of simple.csv file because this field is use as joint point of two file.

Thus, to search sourcetype=philips_client_logs Text="Launched application: Automatic Registration"|table Text|join[inputlookup simple.csv], its necessary that we have this value of “Text” in simple.csv.
My test display like follow:

1- verify if Text="Launched application: Automatic Registration" is locate in your simple.csv, because, when I run the search string with your data, index=business Text="Launched application: Automatic Registration"|table Text|join[inputlookup simple.csv] i get “no results found”. This is because this value of Text is not within the simple.csv file.

2- Finally, I run the search index=business Text="Launched application: Comp. Cardiac"|table Text|join [inputlookup simple.csv], I get the Name that match to value of “Text” like follow:

                  Text                               Name
                Launched application: Comp. Cardiac Comp. Cardiac
                Launched application: Comp. Cardiac Comp. Cardiac
0 Karma
Reply

ngatchasandra
Builder
‎12-17-2014 04:18 AM

do you obtain "no results found" or a results that is not required? Since when i run your search i get "no" results found, but i going to reply you

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...