I realize you can do this with the dbquery command using |dbquery. I would like to know if there is a way to use a database lookup without a sourcetype/index in the search or subsearch.
For instance,
I would look to do something like:
| rename $UID$ as item1 | lookup dbtable item1 output item2,item3,item4
within a search or subsearch?
Thanks,
-Bob
I have found:
| stats count | eval DBCOLUNM="value" | lookup dbtable DBCOLUMN OUTPUT COLUNM2,COLUMN3
this does what I was looking for.
Here is the problem, I think -
You can't just define a field like NAME. A field must be part of an event or added to the results table. It can't exist independently.
The lookup command must have something as an input; it operates on data (events or results) that are passed to it in the pipeline. Since the eval command isn't creating a field, there is nothing to lookup.
Why you don't get an error: Splunk takes the macro and inserts it into the command string. But when it executes the command string, there are no events input and therefore nothing to output.
Most of the time, the command string begins with a search. While a search doesn't have to begin with an index
or sourcetype
, the search does provide criteria for retrieving data. This data is then passed down the pipeline and processed by the next command in the pipeline, and so forth.
If you don't begin the command string with a search, you must provide some other data to the pipeline. There are only a few other ways:
There may be others, but this is all I could think of up front.
Have you tried it? Did you get an error?
There is no requirement that searches must contain an index or a sourcetype. And, the lookup doesn't depend on index or sourcetype, either.
As you have written it, it does depend on having a field named item1
in the pipeline. But otherwise, it should work - unless there is another problem that I can't see...
This is what I am trying as a macro:
| eval NAME=$username$ | lookup DB.PEOPLE NAME output UID | fields UID
when it inspects it, it adds a search in front of it all and appears to just do a full dump of all sourcetypes.
when I try removing the leading pipe
eval NAME=$username$ | lookup DB.PEOPLE NAME output UID | fields UID
when I run this, I get nothing back. I should.
Thanks for looking at this.
-Bob