topic Re: How to pass a value to the |inputlookup where , inside a subsearch in Splunk Search

How to pass a value to the |inputlookup where , inside a subsearch

AVOLLMER — Tue, 29 Sep 2020 18:00:42 GMT

I have a search:

index=examp1 sourcetype=json application=myservice NOT [|inputlookup aps_test_filter.csv where application=<>| fields application prod_issue filter_field filter_values| eval {filter_field}=filter_values | fields - filter_field filter_values | stats values(*) as * by prod_issue | fields - prod_issue]

The CSV files has a set of filters to apply for each application. It is correctly output-ing these filters to my main search string as follows:

`NOT ((application=myservice AND field1_prod_issue1=value AND field2_prod_issue1=value)

OR (application=myservice AND field1_prod_issue2=value AND field2_prod_issue2=value))`

The problem is I have a ton of filters in the CSV and I don't need them all to be looked up and applied to the search string, I only want the rows that match the correct application to be used.

I know that the subsearch runs first, which prevents me from passing values to it from my main search. Is there a way to achieve this? I have everything from the NOT, onward, in a macro that I want to append to all my alerts, reports.

Thanks!

Re: How to pass a value to the |inputlookup where , inside a subsearch

p_gurav — Wed, 07 Feb 2018 05:32:34 GMT

Hi AVOLLMER,

Try using this map command. Refer below link:
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Map

Re: How to pass a value to the |inputlookup where , inside a subsearch

AVOLLMER — Tue, 29 Sep 2020 18:01:20 GMT

Thanks for you answer p_gurav , unfortunately, I don't see how I can prepend the results from the map subsearch with the NOT operator to filter the results in my original search as indicated in the questions.
If I do this:
index=examp1 sourcetype=json application=myservice <can't put NOT here since results are on other side of pipe >|map[|inputlookup aps_test_filter.csv where application=$application$| fields application prod_issue filter_field filter_values| eval {filter_field}=filter_values | fields - filter_field filter_values | stats values(*) as * by prod_issue | fields - prod_issue]

Re: How to pass a value to the |inputlookup where , inside a subsearch

somesoni2 — Wed, 07 Feb 2018 19:07:57 GMT

How are you passing application name to your main search?

Re: How to pass a value to the |inputlookup where , inside a subsearch

AVOLLMER — Tue, 29 Sep 2020 18:01:23 GMT

I want to pass application name from my main search to the subsearch to use it to filter values in the inputlookup and extract the values I want to use to filter the main search.

My csv files has application, filter_field , filter_values, prod_issue, timestamp, user. I don't care about the last 2 columns... my subquery takes those columns and for each prod_issue make a parenthesis set with OR statements between them.. inside the parenthesis is has application=myservice AND field1_prod_issue1=value AND field2_prod_issue1=value for each field / value pair that exists per prod_issue, as shown in the example above. They way I currently have it set up, it works fine, except it pulls all of the for every application...but I only want it to pull the field / value pairs for the application currently being searched for, not EVERY possible combination.

Re: How to pass a value to the |inputlookup where , inside a subsearch

somesoni2 — Wed, 07 Feb 2018 20:45:58 GMT

So you want to take all the application from index=examp1 sourcetype=json and only apply filters for those apps?
If yes, you can do this dirty workaround:

index=examp1 sourcetype=json  NOT [|inputlookup aps_test_filter.csv | where [search index=examp1 sourcetype=json | stats count by application | table application]| fields application prod_issue filter_field filter_values| eval {filter_field}=filter_values | fields - filter_field filter_values | stats values(*) as * by prod_issue | fields - prod_issue]

But it may be more in-efficient than having all application filters being applied (subsearch inside subsearch). What's the problem that you see when all application filters are applied?

Re: How to pass a value to the |inputlookup where , inside a subsearch

AVOLLMER — Wed, 07 Feb 2018 21:28:54 GMT

That work around wouldn't work as any index or sourcetype could be used, and a user might pick an application or 3 applications might result from the rest of whatever they happen to be searching for. Then I would have to pass the whole search inside.

I don't necessarily have a problem with it pulling all of the values out, it works as expected, I just anticipate this lookup to grow really big and it could have a couple hundred AND / OR combinations to filter on if I can't figure out a way to only pull only those filters that are applicable to the applications which result from the main search.