I'm trying to replicate the functionality of a Splunk lookup search command using index search and join operations. Here's the original lookup search command I'm trying to replicate:
| lookup "sensitive_data.csv" FIELD_A as KEY_A, FIELD_B as KEY_B OUTPUT SENSITIVE_FIELD as OUTPUT_FIELD
However, I want to achieve the same result without using inputlookup and only relying on index search. Here's my attempt:
index=your_index_name | fields FIELD_A FIELD_B | join type=outer FIELD_A [search index=your_index_name | stats values(SENSITIVE_FIELD) as OUTPUT_FIELD by FIELD_A]
But this doesn't seem to work as expected. I'm not getting the desired results. It seems I might be missing something in my approach.
Can anyone provide guidance on how to properly perform index search and join operations in Splunk to replicate the logic of the lookup search command mentioned above?