Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help on inputlookup subsearch

jip31
Motivator
‎09-06-2023 06:31 AM

Hi

I cross the results of a subsearch with a main search like this

index=toto [inputlookup test.csv

|eval user=Domain."\\"Sam

|table user]

|table _time user

Imagine I need to add a new lookup in my search 

For example i would try to do something like this 

index=toto [inputlookup test.csv OR inputlookup test2.csv

|eval user=Domain."\\"Sam

|table user]

|table _time user

How to do this please?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 07:24 AM

Hi @jip31,

you have to set the OR condition before the subsearch, something like this:

index=toto ([ | inputlookup test.csv OR inputlookup test2.csv | eval user=Domain."\\"Sam | table user ] OR [ | inputlookup test2.csv | eval user=Domain."\\"Sam | table user ])
| table _time user

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2023 03:43 PM

Try this by combining the two lookups using append for the second lookup

index=toto [ 
  | inputlookup test.csv 
  | inputlookup test2.csv append=t
  | eval user=Domain."\\".Sam
  | table user]
| table _time user

I believe there is a missing '.' in your eval statement setting up user  and 'Sam' is a field name?

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 07:24 AM

Hi @jip31,

you have to set the OR condition before the subsearch, something like this:

index=toto ([ | inputlookup test.csv OR inputlookup test2.csv | eval user=Domain."\\"Sam | table user ] OR [ | inputlookup test2.csv | eval user=Domain."\\"Sam | table user ])
| table _time user

Ciao.

Giuseppe

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-26-2024 05:36 PM

Just pointing out here that the statement

| inputlookup test.csv OR inputlookup test2.csv

is not valid Splunk - you cannot do two inputlookup commands like that.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2023 03:49 AM

Hi @jip31 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...