How to multisearch using values from more than one lookup?

amitrinx — Fri, 26 May 2023 04:15:03 GMT

I have two lookups
RLQuotas: Endpoint, Endpoint Name, filter, quota, Window
RLFilters: Attribute, filter

I want to loop through all the endpoints. all endpoints have a specific window, quota and filter and i am searching it based on filter attribute
I want output fields Endpoint Name, filter, Quota

This is the query i came up with

| inputlookup ID-RL-Quotas | lookup ID-RL-Filters Filter | fields Endpoint, "Endpoint Name", Attribute, Window, Quota, Filter | rename "Endpoint Name" as EndpointName
| map [| eval Window = tonumber($Window$) | search sourcetype="some"
http_url = "$Endpoint$"
minutesago=Window
| eval ip = mvindex(split(http_remoteip,","),0)
| eval EndpointName = "$EndpointName$"
| eval WindowI ="$Window$"
| eval QuotaI="$Quota$"
| eval FilterI="$Filter$"
| search $Attribute$ = "*"
| stats values(EndpointName) as "Endpoint Name", values(FilterI) as Filter, values(WindowI) as Window, values(QuotaI) as Quota, count by $Attribute$
| where count >= 0.8 * $Quota$
| sort -count] maxsearches=10000

This only gives me one filter output not all

Re: Multisearch using values from more than one lookup

PickleRick — Wed, 11 Jan 2023 05:43:49 GMT

Firstly, the topic says "multisearch" and you're using map.

Secondly, you don't have any event-generating commands in your map.

Thirdly, most probably this isnot the way to solve your problem.

topic How to multisearch using values from more than one lookup? in Splunk Search

How to multisearch using values from more than one lookup?

Re: Multisearch using values from more than one lookup