https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/503638#M140585 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/57922">@efika</a><BR />thanks, it is working but it is not allowed me to be dynamic.<BR />what if my file will contain more than one row ?<BR />also, not all the values in "row 1" are eventtypes.. how can i use the values from the file as arguments ?</P> Tue, 09 Jun 2020 21:35:20 GMT sarit_s 2020-06-09T21:35:20Z https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470637#M132394 <P>Hello,</P> <P>I have this query:</P> <PRE><CODE>index=prod eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" | transaction maxpause=2s maxspan=2s maxevents=5 | eval Max_time=(duration + _time) | eval Min_time=(_time) | table _time,eventcount, eventtype ,Min_time, Max_time,tail_id,kafka_uuid | foreach eventtype [eval flag_eventtype=if(eventcount!=5,"no", "yes")] </CODE></PRE> <P>now i have a lookup table and i want to set parameters in my query that will be taken from the lookup table.<BR />for example , instead of searching</P> <PRE><CODE>eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" </CODE></PRE> <P>i want to take the values of the eventtype from the lookup table</P> <P>how can i do that ?</P> <P>thanks</P> Mon, 08 Jun 2020 17:23:48 GMT https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470637#M132394 sarit_s 2020-06-08T17:23:48Z https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470638#M132395 <P>Hi Sarit,</P> <P>Do a subsearch, get all the lookup values into a Multi Value field (MV) and compare the eventtype in the outer search to this MV.</P> Wed, 03 Jun 2020 14:23:39 GMT https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470638#M132395 efika 2020-06-03T14:23:39Z https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470639#M132396 <P>@sarit_s </P> <P>Try </P> <PRE><CODE>index=prod [ |inputlookup myLookup | table eventtype] | YOUR REST SEARCH </CODE></PRE> Wed, 03 Jun 2020 14:36:59 GMT https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470639#M132396 kamlesh_vaghela 2020-06-03T14:36:59Z https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470640#M132397 <P>Hey, thanks for your answer.. <BR /> my lookup table has 10 different columns that calls UsedRule1...UsedRule10<BR /> eventtype should be each one of the UsedRole in the lookup</P> Wed, 03 Jun 2020 16:49:36 GMT https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470640#M132397 sarit_s 2020-06-03T16:49:36Z https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470641#M132398 <P>hi, thanks for your answer...</P> <P>i know the algorithm, i just don't know how to apply it</P> Wed, 03 Jun 2020 16:50:14 GMT https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470641#M132398 sarit_s 2020-06-03T16:50:14Z https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470642#M132399 <P>The end result of the subsearch should be a table with a column that is named "eventtype" and values that should be what you are searching for.<BR /> based on what you are describing you might need to transpose the results of the inputlookup</P> Thu, 04 Jun 2020 07:21:41 GMT https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470642#M132399 efika 2020-06-04T07:21:41Z https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470643#M132400 <P>im not sure i understood what you are saying... </P> <P>this is how my table looks like :</P> <BLOCKQUOTE> <P>AlertNameNonUnique AlertNameUnique AlertSevirityNonUnique AlertSevirityUnique UsedRule1 UsedRule10 UsedRule2 UsedRule3 UsedRule4 UsedRule5 UsedRule6 UsedRule7 UsedRule8 UsedRule9</P> </BLOCKQUOTE> <P>how can i use this values as parameters in my query ?</P> Thu, 04 Jun 2020 07:46:32 GMT https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470643#M132400 sarit_s 2020-06-04T07:46:32Z https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470644#M132401 <P>Try this in the subsearch:<BR /> | inputlookup <LOOKUP name=""><BR /> | fields Used* <BR /> | transpose <BR /> | rename "row 1" as eventtype <BR /> | fields eventtype</LOOKUP></P> Thu, 04 Jun 2020 13:59:26 GMT https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/470644#M132401 efika 2020-06-04T13:59:26Z https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/503638#M140585 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/57922">@efika</a><BR />thanks, it is working but it is not allowed me to be dynamic.<BR />what if my file will contain more than one row ?<BR />also, not all the values in "row 1" are eventtypes.. how can i use the values from the file as arguments ?</P> Tue, 09 Jun 2020 21:35:20 GMT https://community.splunk.com/t5/Splunk-Search/search-with-parameters/m-p/503638#M140585 sarit_s 2020-06-09T21:35:20Z