Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help on inputlookup subsearch

jip31
Motivator
‎09-06-2023 06:31 AM

Hi

I cross the results of a subsearch with a main search like this

index=toto [inputlookup test.csv

|eval user=Domain."\\"Sam

|table user]

|table _time user

Imagine I need to add a new lookup in my search 

For example i would try to do something like this 

index=toto [inputlookup test.csv OR inputlookup test2.csv

|eval user=Domain."\\"Sam

|table user]

|table _time user

How to do this please?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 07:24 AM

Hi @jip31,

you have to set the OR condition before the subsearch, something like this:

index=toto ([ | inputlookup test.csv OR inputlookup test2.csv | eval user=Domain."\\"Sam | table user ] OR [ | inputlookup test2.csv | eval user=Domain."\\"Sam | table user ])
| table _time user

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2023 03:43 PM

Try this by combining the two lookups using append for the second lookup

index=toto [ 
  | inputlookup test.csv 
  | inputlookup test2.csv append=t
  | eval user=Domain."\\".Sam
  | table user]
| table _time user

I believe there is a missing '.' in your eval statement setting up user  and 'Sam' is a field name?

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 07:24 AM

Hi @jip31,

you have to set the OR condition before the subsearch, something like this:

index=toto ([ | inputlookup test.csv OR inputlookup test2.csv | eval user=Domain."\\"Sam | table user ] OR [ | inputlookup test2.csv | eval user=Domain."\\"Sam | table user ])
| table _time user

Ciao.

Giuseppe

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-26-2024 05:36 PM

Just pointing out here that the statement

| inputlookup test.csv OR inputlookup test2.csv

is not valid Splunk - you cannot do two inputlookup commands like that.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2023 03:49 AM

Hi @jip31 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...