topic Re: Doing lookup in the same index without using lookup command in Splunk Search

Doing lookup in the same index without using lookup command

thambisetty — Mon, 28 Sep 2020 16:53:16 GMT

Hi
[index=main host=syslog status="deny"| top src_IP | table src_IP ]:::::this is my sub search.
and it will produce top 10 src_IPs like below.
10.0.0.0

10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6
10.0.0.7
10.0.0.8
10.0.0.9
Now I want to check the status where status="start" OR status="accept" for the above src_IPs in the same index and host.

Please help me in this..
Thanks in advance.

Re: Doing lookup in the same index without using lookup command

somesoni2 — Thu, 19 Jun 2014 15:27:28 GMT

Try this

index=main host=syslog status="start" OR status="accept" [search index=main host=syslog status="deny"| top src_IP | table src_IP | format "" "" "" "" "OR" ""]

Re: Doing lookup in the same index without using lookup command

thambisetty — Mon, 28 Sep 2020 16:53:19 GMT

Thanks for ur immediate response.
I tried that one but it is showing different src_IPs. The src_IPs not at all related to result of sub search.

Re: Doing lookup in the same index without using lookup command

somesoni2 — Thu, 19 Jun 2014 15:54:16 GMT

Try the updated one.

Re: Doing lookup in the same index without using lookup command

thambisetty — Thu, 19 Jun 2014 15:56:45 GMT

Thanks.
Im not in office.
may I know why that format..

Re: Doing lookup in the same index without using lookup command

somesoni2 — Mon, 28 Sep 2020 16:53:27 GMT

This will create a consolidated single statement from results of subsearch (something like src_IP=value1 OR src_IP=value2...etc. Ideally previous version of the search should've worked but something adding format does the trick.

Re: Doing lookup in the same index without using lookup command

thambisetty — Fri, 20 Jun 2014 06:28:38 GMT

Thank u soooo much. it worked.