All Apps and Add-ons

How to search using ONLY lookup

alexsmirnoff
New Member

How do you search only using a lookup so that I can return a report with the contence of the lookup...

I do not want any index in the search.
I have created a database lookup using a view (Lets call it MyView). Lets call my Lookup which points the the view MyLookup
In the search result, I want to have
SELECT * FROM MyView
This does not require any index join or anything else. Can this be done and how?
I tried souce=MyLookup and I tried index=MyLookup
Nothing returns result.
Please help.

0 Karma

493669
Super Champion

If I understood correctly , you want to view contents in lookup then try this:

|inputlookup MyView

and if its csv lookup then try :

|inputlookup MyView.csv
0 Karma

alexsmirnoff
New Member

That did not work 😞
I type (replacing it with my lookup name)
"|inputlookup MyView"
into the test box called "Search" and this return 0 results. The "Search" text box is under Searches,reports, and alerts->new The result should be over 2 million.
As stated earlier, there is no index in the select statement so no prefix.
My database view is V_MyView and my lookup name for it is MvView. Do I need to do V_MyView instead?
Can this be done without the index?

0 Karma

gwalford
Path Finder

If you got no results from:

|inputlookup MyView

or from:

|inputlookup MyView.csv

Then your lookup file isn't loaded correctly. See if you can find it in:

Settings > Lookups > Lookup Table Files

If you do - also notice what "app" the lookup is in. This is important. If you are in the wrong app when you try the lookup, it will fail.

0 Karma

alexsmirnoff
New Member

This a Database Lookup. Not a csv.

0 Karma

alexsmirnoff
New Member

The below works, but is not using lookup. I need it to run as a lookup

| dbquery MyDatabase "SELECT DISTINCT TOP 10 * FROM V_MyView"

0 Karma

493669
Super Champion

which app you are using is it DB Connect or MySQL Connector?

0 Karma

alexsmirnoff
New Member

DB Connect

0 Karma

493669
Super Champion

have you created lookup from Data Lab > Lookups tab and click New Lookup?
for creation of lookup refer: http://docs.splunk.com/Documentation/DBX/3.1.2/DeployDBX/Createandmanagedatabaselookups#Create_a_dat...

0 Karma

alexsmirnoff
New Member

Already read this in the past.. Couldnt get it to work.

sourcetype=GTS_Sessions | dbxlookup lookup="GTS_Product_Lookup" | stats sum(product_price) as "spend" by uid

What is "GTS_Session" how is it defined?

0 Karma

493669
Super Champion

It will enrich your indexed events (i.e. sourcetype=GTS_Sessions) with the information you have stored in external databases ( i.e. dbxlookup lookup="GTS_Product_Lookup")
but in your case what you are trying ? are you trying to store dbquery select * from viewname result in lookup ?

0 Karma

alexsmirnoff
New Member

In short I am trying to do the exact same thing as this query
| dbquery MyDatabase "SELECT DISTINCT TOP 10 * FROM V_MyView"

This works 100%, but I want a lookup, something like

| dbxlookup lookup="MyLookup"

But this line works 0% 😞

0 Karma

493669
Super Champion

So if I understood it correctly, you are scheduling this saved search to run at specific interval and store its value in lookup so that lookup used in your query instead of writing select query.
If so then you can create csv lookup try this:

| dbquery MyDatabase "SELECT DISTINCT TOP 10 * FROM V_MyView"|outputlookup MyLookup.csv

so now your values are stored in MyLookup.csv and now you can use directly lookup like

|inputlookup MyLookup.csv
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!