topic inputlookup - How to search through all lookup fields in Splunk Search

inputlookup - How to search through all lookup fields

evelenke — Wed, 17 Aug 2016 16:15:20 GMT

Hi, Splunkers!

Looking for easy way to get results from any lookup table like it might be: | inputlookup mylookup | search "keyword"
Of course this doesn't work, as I didn't specify field name.
But how could I get raws from my table where any of the field matches my request.
This might also be handy when I don't know or won't specify a field name or while searching through different tables with different field names simultaneously.

Re: inputlookup - How to search through all lookup fields

horsefez — Tue, 29 Sep 2020 10:41:37 GMT

Hi evelenke,

I like to use something like this to output fields out of a lookuptable when certain conditions match:

| lookup ip_info.csv src_ip OUTPUT subnet_mask, user, device

"src_ip" is the field in the lookuptable you want to match with the field in your existing search (this fields name needs to be also "src_ip") (PS: if your existing field is "source_ip" you could rename it before the lookup to "src_ip" and then after the lookup you could rename it back)

"OUTPUT" is the command after which the fields should follow you want to read out of the lookup-file.
"subnet-mask", "user", "device" are the actual field names in the lookup table

Best regards,
pyro_wood

Re: inputlookup - How to search through all lookup fields

inventsekar — Wed, 17 Aug 2016 16:40:08 GMT

try this -

 | inputlookup mylookup | search keyword="value"

i have a mapZipcode lookup configured on my system and to look for Florida, and this works fine -
| inputlookup mapZipCode | search city="Florida"

Re: inputlookup - How to search through all lookup fields

evelenke — Tue, 29 Sep 2020 10:41:39 GMT

Thanks guys, but...
Let's say I have feeds from Inventory DB and I'd like to create view in Splunk where I can choose any category of assets (separate resulting csv tables, like inventory_pc, inventory_vm etc) and define some keyword and it will be looking for that word. Fields for each category have something different from other category - e.g. name of assets - 'PC Name', 'VM Name', 'Device Name', some categories have unique fields - you'll never know what to expect. Panel in my form should have unified search: | inputlookup $category$ | search $keyword$ $search$.

How can I achieve this?

Re: inputlookup - How to search through all lookup fields

inventsekar — Tue, 29 Sep 2020 10:39:11 GMT

i am not sure if i understand your task correctly, but, lets check this -
| inputlookup mylookup | search mylookup_column_name=$keyword$

Re: inputlookup - How to search through all lookup fields

somesoni2 — Wed, 17 Aug 2016 18:35:02 GMT

Assuming $category$ is correctly giving the lookup table name to use, give this a shot

 | inputlookup $category$ | eval raw="" | foreach * [eval raw=raw.",".coalesce('<<FIELD>>',"") ] | search raw="*$keyword$*"

What is the different between your keyword and Type search textbox value?

Re: inputlookup - How to search through all lookup fields

Runals — Thu, 18 Aug 2016 02:32:09 GMT

I think somesoni2 has the right of it - combine the data into a giant string that you then search. Mine is just slightly different but uses the same concept

| inputlookup mylist | eval foo="" | foreach * [ eval foo = foo."|".<<FIELD>>] | search foo= *myterm* | fields - foo

I added the pipes just because /shrug. Alternatively I suppose you could populate a dropdown with the fields from whichever list the user selects. I'd do that with something like

| inputlookup $category$ | transpose | table column

Re: inputlookup - How to search through all lookup fields

evelenke — Thu, 18 Aug 2016 08:31:45 GMT

Great, this approach works!
I should examine search commands more diligently )
Great suggestion, Runals, I'll add this dropdown to my form.
As for "Type search" - this is just for situations when user needs to add something to search directly in this view.
Thank you!

Re: inputlookup - How to search through all lookup fields

makelovenotwar — Wed, 17 May 2023 11:47:31 GMT

can you explain the point of coalesce() in the solution? Are you trying to account for null fields with blank instead of null?