Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using field in lookup table to get field in second lookup table

billyhigdon
New Member
‎05-02-2017 02:51 PM

Hi All,

I'm new to Splunk and I'm trying to mess around with a few lookup tables that I imported. I have two, let's call them table1.csv and table2.csv. Table1.csv has many columns, however there are two in particular that I'm concerned with; servername (a column of all servers that have the Splunk forwarder installed) and clientcode (a codename that lists the client the server belongs to). Table2.csv has only two columns; email (the email distribution list for that client) and client_code (pretty much a duplicate of clientcode from table1.csv).

Here's what I would like to accomplish. I would like to write up a query that takes a servername within Table1.csv and writes the corresponding clientcode to a variable. I would then like it to take that variable and match it to the client_code column in Table2.csv and from there grabbing the corresponding Email field and putting it to a variable.

What I've written so far is here

| inputlookup Table2.csv | lookup Table2.csv Email | where Client_Code="Client 1"

This seems to combine the two .CSV files into one, and allows me to look up the email address based upon the Client_Code. I can't for the life of me figure out how to extend this so as to have Client_Code automatically fed a string based upon the outcome of another lookup

| inputlookup Table1.csv | lookup Table1.csv clientcode | where servername="Server 1"

Any idea how I can combine these to achieve my objective?

Thank You,
Billy

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎05-02-2017 03:08 PM

Try like this

| inputlookup Table1.csv | lookup Table2.csv client_code AS clientcode OUTPUT Email | where clientcode="Client 1" AND servername="Server 1"

The field name for client code in Table1.cs is clientcode and client_code in Table2.csv, so that lookup command here incorporate that. It will basically populate Email for all the servernames in Table1.csv for which client code exists in Table2.csv. YOu can than add appropriate filters.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...