Re: Is there a way to modify an inputlookup subsea...

cogden · ‎06-28-2018

I have a subsearch doing "| inputlookup" against a CSV... the implied operator is equals. "Column/Field = Cell Value" ... is anybody aware of a way to overload or modify that operator from equals to IN. For example, if my cell value is a comma-separated list value1,value2 I dont want the search to be field="value1,value2" I would want the search to be field IN (value1,value2)

Example search:
|tstats count WHERE [inputlookup test.csv]

Example: test.csv:
mycolumn
value1,value2

Desired expanded search:
|tstats count WHERE mycolumn IN (value1,value2)

Actual expanded search:
| tstats count WHERE mycolumn="value1,value2"

woodcock · ‎06-30-2018

Use this macro:

[convert_search_from_ORs_to_IN]
definition = rename COMMENT AS "EXTREME WARNING!!! THIS IS ONLY VALID IF YOU ARE USING A SINGLE FIELD!!!!"\
| rex field=search mode=sed "s/^\(\s*\(\s*// s/\s*\)\s*\)$/)/ s/=/ IN(/ s/\s*\)\s*OR\s*\([^=]+=/,/g"
errormsg = Description: Author=Gregg Woodcock; this is necessary because if the number of characters in a search string is too great, the search may fail; this conversion saves ~50%!
iseval = 0

Then, any place where you are doing something like this:

index=foo [|inputlookup tableOfHosts | table host]

Change it to this:

index=foo [|inputlookup tableOfHosts | table host | `convert_search_from_ORs_to_IN`]

cogden · ‎06-28-2018

SOLVED INTERNALLY:

Adding to the subsearch an eval split based on comma followed by an mvexpand accomplishes a similar result:

Example:

|tstats count WHERE [ | inputlookup test.csv | eval mycolumn = split(mycolumn,",") | mvexpand mycolumn ]

Is there a way to modify an inputlookup subsearch from an implied equals operator to an "IN" operator?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk