Splunk Search

How to drop field name from a lookup table similar to the return function?

wills2g
New Member

Hi All,

To give some context, the return function in Splunk when used with a subsearch allows you to drop the field name when used with the "$" symbol. So for example in the subsearch: [search index=A | fields test | return $test], rather than returning test=B or test=C, this will only return "B" and "C".

If I create a search like: index=A inputlookup lookup.csv | return $test, is there any way to only return the value in the inputlookup "B" and not test=B. Or if there are any other ways to do this?

Thanks

0 Karma
1 Solution

HiroshiSatoh
Champion

Use query.

index=A  [inputlookup lookup.csv | rename test as query] 

View solution in original post

0 Karma

HiroshiSatoh
Champion

Use query.

index=A  [inputlookup lookup.csv | rename test as query] 
0 Karma

wills2g
New Member

Thanks for that, it works great. Would you be able to explain what renaming to query does?

0 Karma

HiroshiSatoh
Champion

It is described in the manual.

https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Changetheformatofsubsearchresults

Only the first one
index = * [inputlookup xxx.csv | fields col_a | rename col_a as search]
-> index = * "AA"

In case of all cases
index = * [inputlookup xxx.csv | fields col_a | rename col_a as query]
-> index = * ("AA" OR "CC")
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...