topic Re: Pass value to subsearch with inputlookup in Splunk Search

Pass value to subsearch with inputlookup

tdoSplunk — Wed, 30 Sep 2020 03:54:02 GMT

Hi,

perhaps it is the wrong approach, but i try to use an inputlookup within a search and pass a value to this subsearch.
It looks like this:

    index=myindex sourcetype=stype source=sourcename
    |eval SourceHost =[|inputlookup transfer_nodes.csv 
                       |search nodeId IN ($last_source_node_id$)
                       |fields name
                       |stats first(name) as SourceHost
                       |eval SourceHost="\"".SourceHost."\""
                       |return $SourceHost
                      ]
|eval DestinationHost =[|inputlookup transfer_nodes.csv 
                       |search nodeId IN ($last_dest_node_id$)
                       |fields name
                       |stats first(name) as DestinationHost
                       |eval DestinationHost="\"".DestinationHost."\""
                       |return $DestinationHost
                      ]
    |table name,SourceHost,DestinationHost

I get the following error: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

The problem is the passing of the value $last_source_node_id$ ($last_dest_node_id$)

I already tried to map the subsearch, then the passing works, but the result is not what i expected.

Finally I would like to use a macro like GetTransferNode($last_nodeId$)

Hope you have an idea how to solve it.

best regards and thank you in advance !

Re: Pass value to subsearch with inputlookup

to4kawa — Wed, 30 Sep 2020 03:47:54 GMT

What's token value "$last_source_node_id$"?
like A, B ?

Re: Pass value to subsearch with inputlookup

tdoSplunk — Thu, 23 Jan 2020 11:59:37 GMT

number like 1 or 2 or ...

Re: Pass value to subsearch with inputlookup

to4kawa — Thu, 23 Jan 2020 12:06:36 GMT

    index=myindex sourcetype=stype source=sourcename
     |eval SourceHost =[|inputlookup transfer_nodes.csv 
                        |search nodeId=$last_source_node_id$
                        |fields name
                        |stats first(name) as SourceHost
                        |eval SourceHost="\"".SourceHost."\""
                        |return $SourceHost
                       ]
 |eval DestinationHost =[|inputlookup transfer_nodes.csv 
                        |search nodeId=$last_dest_node_id$
                        |fields name
                        |stats first(name) as DestinationHost
                        |eval DestinationHost="\"".DestinationHost."\""
                        |return $DestinationHost
                       ]
     |table name,SourceHost,DestinationHost

unnecessary IN operator. How about this?

Re: Pass value to subsearch with inputlookup

tdoSplunk — Wed, 30 Sep 2020 03:54:23 GMT

this will not work. it is not possible to pass the token $last_dest_node_id$ to the subsearch

A map would be a possible solution like ...
|map [|inputlookup transfer_nodes.csv
|search nodeId=$last_source_node_id$]

but the table only contained the result of the subsearch, not the conbination of both searches

Re: Pass value to subsearch with inputlookup

tdoSplunk — Thu, 23 Jan 2020 12:29:45 GMT

I solved it by a join...
First I thought it will be to slow, but it works fine

| join type=left nodeId 
   [ |inputlookup transfer_nodes.csv
   |rename name as DestinationHost]
...

Re: Pass value to subsearch with inputlookup

to4kawa — Thu, 23 Jan 2020 12:34:34 GMT

index=myindex sourcetype=stype source=sourcename
[|inputlookup append=t transfer_nodes.csv]
|search nodeId=$last_source_node_id$ OR nodeId=$last_dest_node_id$
| eval host_flag=case(node_id=$last_source_node_id$,"Source",node_id=$last_dest_node_id$,"Dest")
| stats values(eval(if(flag="Source",name,NULL))) as SourceHost values(eval(if(flag="Dest",name,NULL))) as DestHost by name

I think, your result is like the result of this.