Need a Help with Query

satyaallaparthi · ‎03-27-2024

I have two lookups, 1 with 460K rows and another with 10K rows.

I used join to get the 10K results from 460K rows, however join is not working and not returning any results.

I used table and stats in both lookups though no results.

gcusello · ‎03-27-2024

Hi @satyaallaparthi,

whats the result you're waiting for?

do you want to filter the first lookup using the second?

in this case try this:

| inputlookup unix.csv
| eval sys_name = lower(FQDN)
| search [ 
   | inputlookup inventory.csv
   | eval sys_name = lower("*".sys_name."*")
   | fields sys_name ]
| table Status sys_name host-ip  "DNS Name"

If instead you want to take values between both the lookups, yu can use the lookup command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandOverview) in this way:

| inputlookup unix.csv
| eval sys_name = lower(FQDN)
| lookup inventory.csv sys_name
| table Status sys_name host-ip  "DNS Name"

My only doubt is that in the two lookups the sys_name has different format.

In this case, my hint is to elaborate the lookup to have another lookup with the correct sys_name.

Ciao.

Giuseppe

satyaallaparthi · ‎03-27-2024

Great! The 'search' function worked as intended, instead of 'join'.

gcusello · ‎03-27-2024

Hi @satyaallaparthi ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Need a Help with Query

stats

table

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability