topic Re: Utilizing dynamic filter with inputlookup subsearch in Splunk Search

Utilizing dynamic filter with inputlookup subsearch

harry1 — Fri, 08 Jan 2021 20:44:52 GMT

Hi,

I am having a situation where a lookup table defines search filters that needs to be used as part of search query. The dynamic filter (data_owner_filter) is built from original search results and subsearch filters are defined by lookup table, where filters can either be inclusive or exclusive.

I have tried with a following kind of approach, but the problem of subsearch not being able to reach value defined as data_owner_filter:

Re: Utilizing dynamic filter with inputlookup subsearch

to4kawa — Sat, 09 Jan 2021 12:52:37 GMT

<search> | eval data_owner_filter=mvindex(split(data_owner,"_"),1) | lookup lookup_table.csv dynamic_filter as data_owner_filter fieldx OUTPUTNEW | table fieldx, fieldy, data_owner ,rule_type, static_filter | search as_you_want

e.g. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

Re: Utilizing dynamic filter with inputlookup subsearch

harry1 — Mon, 11 Jan 2021 11:03:08 GMT

Thanks. Figured out that it would be doable the way you mentioned, but since the amount of fields from lookup table is changing once in a while and the resulting search being hard to maintain, I decided it is better to split the search into two searches and do the dynamic part of filtering on the second search.