Dashboards & Visualizations

How to search field with inputlookup?

POR160893
Builder

Hi,

I am creating a dashboard where the data is provided via CSV. So, I am using the inputlookup command. 

However, I need to search on one specific field (or column) on the CSV and I am currently using this but it is not working:

 

| inputlookup ABC
| search Device Name = "sdf"

 



Can you please help?

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| where match('Device Name',"buemwgproxy02")

View solution in original post

POR160893
Builder

I think the issue is the field name is composed of 2 words "Device Name" and I am not sure how to search with this ...

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Will where work better for you?

| inputlookup ABC
| where 'Device Name' = "sdf"

Note that the field name needs to be in single quotes if it has embedded spaces or other special characters 

0 Karma

POR160893
Builder

POR160893_0-1653559962929.png

No quiet 😞

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The where command will use a case-sensitive comparison whereas search uses case-insensitive comparisons. Is this perhaps the issue?

0 Karma

POR160893
Builder

POR160893_0-1653561570373.png


What did I do incorrectly? The field name is "Device Name".

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What about if you just search for buemwgproxy02 without the field name

| search "buemwgproxy02"

 

0 Karma

POR160893
Builder

POR160893_0-1653562600051.png



No luck 😣

0 Karma

POR160893
Builder

Hey,

 

So, I was just asked to further update this dashboard so that the default values of the panels show ALL values of the lookup tables.

The tricky bit is incoporating that requets into the current query which is as follows:
<panel>
<title>McAfee</title>
<table>
<search>
<query>
| inputlookup Migration-Status-McAfee
| where match('Device Name',"$mcafee_tok$")</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
</table>
</panel>

However, when I search for all, it fails:


POR160893_0-1653577997603.png

 

 



Can you please help?

Thanks so much!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Make the all value ".*" instead of just "*" - if necessary, if you are using that token elsewhere successfully, you may need to eval a new token to cater for this case.

POR160893
Builder

This was perfect!
Thanks a million and learned something new here too!

0 Karma

POR160893
Builder

Hey,

 

So, I was just asked to further update this dashboard so that the default values of the panels show ALL values of the lookup tables.

The tricky bit is incoporating that requets into the current query which is as follows:
<panel>
<title>McAfee</title>
<table>
<search>
<query>
| inputlookup Migration-Status-McAfee
| where match('Device Name',"$mcafee_tok$")</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
</table>
</panel>

However, when I search for all, it fails:

POR160893_0-1653577906883.png

 



Can you please help?

Thanks so much!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| where match('Device Name',"buemwgproxy02")

POR160893
Builder

Thank you  😀

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...