Dashboards & Visualizations

How to search field with inputlookup?

POR160893
Builder

Hi,

I am creating a dashboard where the data is provided via CSV. So, I am using the inputlookup command. 

However, I need to search on one specific field (or column) on the CSV and I am currently using this but it is not working:

 

| inputlookup ABC
| search Device Name = "sdf"

 



Can you please help?

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| where match('Device Name',"buemwgproxy02")

View solution in original post

POR160893
Builder

I think the issue is the field name is composed of 2 words "Device Name" and I am not sure how to search with this ...

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Will where work better for you?

| inputlookup ABC
| where 'Device Name' = "sdf"

Note that the field name needs to be in single quotes if it has embedded spaces or other special characters 

0 Karma

POR160893
Builder

POR160893_0-1653559962929.png

No quiet 😞

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The where command will use a case-sensitive comparison whereas search uses case-insensitive comparisons. Is this perhaps the issue?

0 Karma

POR160893
Builder

POR160893_0-1653561570373.png


What did I do incorrectly? The field name is "Device Name".

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What about if you just search for buemwgproxy02 without the field name

| search "buemwgproxy02"

 

0 Karma

POR160893
Builder

POR160893_0-1653562600051.png



No luck 😣

0 Karma

POR160893
Builder

Hey,

 

So, I was just asked to further update this dashboard so that the default values of the panels show ALL values of the lookup tables.

The tricky bit is incoporating that requets into the current query which is as follows:
<panel>
<title>McAfee</title>
<table>
<search>
<query>
| inputlookup Migration-Status-McAfee
| where match('Device Name',"$mcafee_tok$")</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
</table>
</panel>

However, when I search for all, it fails:


POR160893_0-1653577997603.png

 

 



Can you please help?

Thanks so much!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Make the all value ".*" instead of just "*" - if necessary, if you are using that token elsewhere successfully, you may need to eval a new token to cater for this case.

POR160893
Builder

This was perfect!
Thanks a million and learned something new here too!

0 Karma

POR160893
Builder

Hey,

 

So, I was just asked to further update this dashboard so that the default values of the panels show ALL values of the lookup tables.

The tricky bit is incoporating that requets into the current query which is as follows:
<panel>
<title>McAfee</title>
<table>
<search>
<query>
| inputlookup Migration-Status-McAfee
| where match('Device Name',"$mcafee_tok$")</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
</table>
</panel>

However, when I search for all, it fails:

POR160893_0-1653577906883.png

 



Can you please help?

Thanks so much!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| where match('Device Name',"buemwgproxy02")

POR160893
Builder

Thank you  😀

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...