Knowledge Management

How do I display all fields from a lookup file via inputlookup , but match only one in the search?

sarwshai
Communicator

I have a lookup which has 6-7 fields. One of them is src_ip, which I'm trying to use in a search as follows:

index=myindex "searchterm" [| inputlookup "mylookup.csv" | fields src_ip] | stats values(field1) values(field2) by src_ip

Here it matches src_ip in "myindex" and brings out 3 fields i.e src_ip, field1, field2. However i want all the fields from the lookup in the results to compare only the src_ip with fields in "myindex" .

Is this possible?

0 Karma

datasearchninja
Communicator

The most perfomant option will be to look them up from the lookup after the stats command

So:

index=myindex "searchterm" [| inputlookup "mylookup.csv" | fields src_ip] 
| stats values(field1) values(field2) by src_ip
| lookup mylookup.csv src_ip
0 Karma

sarwshai
Communicator

No, that doesn't work, an error comes for this,

Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '375' of search query 'search index=myindex url=myurl | search [ | i...{snipped} {errorcontext = Action | [lookup "DH}'.

However i found a way for this and successfully displayed all fields from lookup while matching only one, below is the query,

index=myindex "searchterm" [| inputlookup "mylookup.csv" | fields src_ip]
| stats values(field1) values(field2) by src_ip
|join [| inputlookup mylookup.csv ]

0 Karma

datasearchninja
Communicator

Your query is using join when it shouldn't the correct use for this is as I suggested. Note this is lookup, not inputlookup:

index=myindex "searchterm" [| inputlookup "mylookup.csv" | fields src_ip]
|stats values(field1) values(field2) by src_ip
|lookup mylookup.csv src_ip

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...