I have two files which I have uploaded into Splunk, and both work as intended.
One is a detailed file containing peoples names, along with other information.
The second is a specific list of names of people I am interested in looking at from the first file.
I know I can import files into my searches with
| inputlookup file.csv | The rest of the search
But when I try to input two lookups I get an error.
What is the easiest way to do this?
Try this:
|inputlookup file.csv|join <common fieldname i.e. people name> [|inputlookup file2.csv]
here join with second lookup using common fieldname as in your case it is people_name field
Based on what you've said in comments above, I believe this is the search structure you're looking for. I'll reference the file containing the logs you want to search as events_log.csv
and the file containing the list of people as people.csv
. This also assumes you have a column in people.csv
called people_name
, and that the logs in events_log.csv
also contain a field called people_name
.
| inputlookup events_log.csv where
[ | inputlookup people.csv
| fields people_name ]
If the events_log.csv
file names the field differently, then you'll need to a rename
command inside the subsearch to make the field names align.
Thanks!
The problem has been solved now but your method works 🙂
Great. As an FYI, you should not use a join
for searches like this if you can possibly avoid it. As data sizes grow, join
will consume a lot of resources and will often have silent failures that will be a pain to diagnose. There will likely be times you can't avoid using a join
in your search, but it's strongly recommended that you avoid them when possible.
Cool, useful to know, thanks!
Try this:
|inputlookup file.csv|join <common fieldname i.e. people name> [|inputlookup file2.csv]
here join with second lookup using common fieldname as in your case it is people_name field
Maybe I should have been more clear, this simply added on the second file to the first.
The first file is one I want to do the searching on, the second file contains a list of people I want to be searching again. Essentially it is an easier way rather than writing (person=A OR person=B....) in every search and also means it can easily be updated.
So I essentially want to query the second file against the first.
join will not append/add two files instead it will match using common fields .
for ex.
file1.csv
people_name column2
A 2
B 3
file2.csv
people_name column3
A 25
B 88
and now join will give output as
people_name column2 column3
A 2 25
B 3 88
Mine came out in the format
file1.csv
people_name column2
A 2
B 3
file2.csv
people_name
A
B
output
people_name people_name column2
A A 2
A B 3
could you provide what query you have tried?
Ah, I now see that I had the part of the search string entered wrongly, my mistake.
This method works great, thanks for your help 🙂