https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407468#M172812 <P>Are you trying to use this in dashboard?</P> <P>|makeresults | eval Name="Get", Subcategory="Vehicle" | inputlookup search_query.csv Name Subcategory OUTPUT Query </P> <P>the above will return your search (Query).</P> Mon, 25 Feb 2019 17:46:37 GMT lakshman239 2019-02-25T17:46:37Z https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407467#M172811 <P>I have a lookup(search_query.csv) with data as below.</P> <PRE><CODE>Name Subcategory Query Get Vehicle index=abc I where api=fig I table api msg Post Summary index=cfg I where api=his I table api msg </CODE></PRE> <P>[Note : lookup has 1000's row data such as above]</P> <P>Now I would want to run a query using the above lookup,when name and subcategory matches,it has to execute the corresponding query. (i.e., use Name and Subcategory as input and get the query as output and use the output query as the search).</P> <P>Is it possible?????</P> Mon, 25 Feb 2019 16:57:33 GMT https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407467#M172811 deepusoundar 2019-02-25T16:57:33Z https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407468#M172812 <P>Are you trying to use this in dashboard?</P> <P>|makeresults | eval Name="Get", Subcategory="Vehicle" | inputlookup search_query.csv Name Subcategory OUTPUT Query </P> <P>the above will return your search (Query).</P> Mon, 25 Feb 2019 17:46:37 GMT https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407468#M172812 lakshman239 2019-02-25T17:46:37Z https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407469#M172813 <P>Yes,am tryinh to use this for dashboard only..</P> <P>I just do not want to get the query as result instead i would want to execute the query and see the result of that query..</P> <P>For example,<BR /> For an event matching Name and subcategory,it has to fetch the query from lookup and execute that search and show the result..</P> Mon, 25 Feb 2019 18:21:45 GMT https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407469#M172813 deepusoundar 2019-02-25T18:21:45Z https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407470#M172814 <P>How are you planning to execute the query and how are you selecting/providing those Name/Subcategory field values? Are they going to come from a dropdown or something?</P> Mon, 25 Feb 2019 19:05:51 GMT https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407470#M172814 somesoni2 2019-02-25T19:05:51Z https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407471#M172815 <P>To my knowledge, you cannot pass the whole query from the output of lookup for a search.<BR /> But if you have query with fixed variables as you mentioned in the sample and constant query, you can try something like this:<BR /> index=abc I where api=fig I table api msg<BR /> Split the fields from the query into individual fields <BR /> <STRONG>ex:</STRONG> index_from_lookup=abc , api_from_lookup=fig, so you lookup looks like this </P> <P>Name Subcategory index_from_lookup api_from_lookup<BR /> Get Vehicle abc fig<BR /> Post Summary cfg his</P> <P>and then pass them to map command after the lookup. Sample is shown below. I have used "where" instead of "lookup command" for sample as I don't have the csv to do lookup</P> <P>|makeresults<BR /> | eval Name="Get" | eval category="Vehicle" | eval index_from_lookup="_internal" | eval file_from_lookup="shelper"<BR /> |append <BR /> [|makeresults<BR /> | eval Name="Post" | eval category="Summary" | eval index_from_lookup="_internal" | eval file_from_lookup="messages"]<BR /> | where Name="Post" AND category="Summary"<BR /> | map search="search index=$index_from_lookup$ file=$file_from_lookup$ | table method, output_mode"</P> <P>If you have limited searches in lookup and if you can create macros for each search, you can try this after you have the macro name from output of lookup<BR /> | map search="search <CODE>$macro_name_from_lookup_output$</CODE>" (This will not be an option for you if you have 1000 different queries in your lookup).</P> <P>Hope it helps.</P> Tue, 29 Sep 2020 23:25:44 GMT https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407471#M172815 cvssravan 2020-09-29T23:25:44Z https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407472#M172816 <P>The name and subcategory as they come in the event,when they get matched,they are used as input of lookup and query as the output and that query has to be executed</P> Mon, 25 Feb 2019 21:25:30 GMT https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407472#M172816 deepusoundar 2019-02-25T21:25:30Z https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407473#M172817 <P>You cannot do that in the search pipeline to my knowledge. you may be able to achieve that in a dashboard, but having a search which matches Name and subcategory as input against your events returning the Query. And when user clicks it, you can show/run the search to return results in another window/panel in the dashboard [ drill-down search]</P> Tue, 26 Feb 2019 09:46:16 GMT https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407473#M172817 lakshman239 2019-02-26T09:46:16Z https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407474#M172818 <P>Can yu help me on how to proceed with it</P> Tue, 26 Feb 2019 10:01:44 GMT https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407474#M172818 deepusoundar 2019-02-26T10:01:44Z https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407475#M172819 <P>pls download the <A href="https://splunkbase.splunk.com/app/1603/">https://splunkbase.splunk.com/app/1603/</A> app and install on your dev instance and you can look for 'Drilldown Elements' and it has samples in Drilldown Link Dashboard. A few others can also help you.</P> <P>You can your base search which is something like index=* | inputlookup search_query.csv Name subcategory OUTPUT query .. this will show results in the first dashboard panel. When users click any row, you can then use token [ will have contents of query] and pass it to drill-down search to run that and return results in another panel within the same dashboard.</P> Tue, 26 Feb 2019 11:33:30 GMT https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407475#M172819 lakshman239 2019-02-26T11:33:30Z https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407476#M172820 <P>if you are happy with the solution, pls accept to close the thread.</P> Tue, 26 Feb 2019 17:33:14 GMT https://community.splunk.com/t5/Splunk-Search/Help-required-regarding-lookup/m-p/407476#M172820 lakshman239 2019-02-26T17:33:14Z