https://community.splunk.com/t5/Splunk-Search/Rest-search-with-input-from-inputlook/m-p/541225#M153228 <P>Hi,</P><P>I'm bouncing my head against the wall for this (probably) simple question..</P><P>&nbsp;</P><P>I've got a inputlookup "indexers". As the name says.. those are the splunk indexers, but will be more than that in the future. I want to get disc sizes off them with the below serach</P><P><STRONG><EM>|inputlookup indexers | fields host | stats count by host |map search="search (| rest splunk_server=$host$ /services/server/status/partitions-space]")</EM></STRONG></P><P>It all goes well until the map command. The stats gives a nice list off the servers. It goes wrong at the "<STRONG>search (| rest splunk_server=$host$ /services/server/status/partitions-space]</STRONG>"&nbsp; &nbsp;part.</P><P>When i try this part off the search.. it strips the | from the search.. and gives nothing. It seems a search command followed with a | will strip the | .. and then de rest search is useless.</P><P>What can i do to pass the hostnames from the inputlookup to the <EM>|rest</EM> search?</P><P>&nbsp;</P><P>Thanx in advance</P><P>&nbsp;</P><P>grts</P><P>Jari</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 24 Feb 2021 14:30:28 GMT jariw 2021-02-24T14:30:28Z https://community.splunk.com/t5/Splunk-Search/Rest-search-with-input-from-inputlook/m-p/541225#M153228 <P>Hi,</P><P>I'm bouncing my head against the wall for this (probably) simple question..</P><P>&nbsp;</P><P>I've got a inputlookup "indexers". As the name says.. those are the splunk indexers, but will be more than that in the future. I want to get disc sizes off them with the below serach</P><P><STRONG><EM>|inputlookup indexers | fields host | stats count by host |map search="search (| rest splunk_server=$host$ /services/server/status/partitions-space]")</EM></STRONG></P><P>It all goes well until the map command. The stats gives a nice list off the servers. It goes wrong at the "<STRONG>search (| rest splunk_server=$host$ /services/server/status/partitions-space]</STRONG>"&nbsp; &nbsp;part.</P><P>When i try this part off the search.. it strips the | from the search.. and gives nothing. It seems a search command followed with a | will strip the | .. and then de rest search is useless.</P><P>What can i do to pass the hostnames from the inputlookup to the <EM>|rest</EM> search?</P><P>&nbsp;</P><P>Thanx in advance</P><P>&nbsp;</P><P>grts</P><P>Jari</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 24 Feb 2021 14:30:28 GMT https://community.splunk.com/t5/Splunk-Search/Rest-search-with-input-from-inputlook/m-p/541225#M153228 jariw 2021-02-24T14:30:28Z https://community.splunk.com/t5/Splunk-Search/Rest-search-with-input-from-inputlook/m-p/541230#M153230 <P>Hi Jari,<BR /><BR />You don't need to run sub-search for each host. Run&nbsp;<STRONG>rest </STRONG>command first, append <STRONG>lookup</STRONG> results, and use <STRONG>stats</STRONG> to merge.</P><LI-CODE lang="markup">| rest /services/server/status/partitions-space | append [| inputlookup indexers | fields host | stats count by host | eval splunk_server=host] | stats max(*) as * by splunk_server | where host="*"</LI-CODE><P>&nbsp;</P><P><STRONG>| where host="*"</STRONG> gives results only for hosts in the lookup file.<BR /><BR />If this reply helps you, an upvote/like would be appreciated.</P> Wed, 24 Feb 2021 14:55:55 GMT https://community.splunk.com/t5/Splunk-Search/Rest-search-with-input-from-inputlook/m-p/541230#M153230 manjunathmeti 2021-02-24T14:55:55Z https://community.splunk.com/t5/Splunk-Search/Rest-search-with-input-from-inputlook/m-p/541234#M153233 <P>Yes.. That's it. Didn't think about changing the order. Thanx again&nbsp;<span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> Wed, 24 Feb 2021 15:24:13 GMT https://community.splunk.com/t5/Splunk-Search/Rest-search-with-input-from-inputlook/m-p/541234#M153233 jariw 2021-02-24T15:24:13Z https://community.splunk.com/t5/Splunk-Search/Rest-search-with-input-from-inputlook/m-p/541235#M153234 <P>please accept and upvote answer if it is working.</P> Wed, 24 Feb 2021 15:37:45 GMT https://community.splunk.com/t5/Splunk-Search/Rest-search-with-input-from-inputlook/m-p/541235#M153234 manjunathmeti 2021-02-24T15:37:45Z