Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use Lookup value(s) as field values in search query

wwhite12
Path Finder
‎06-18-2020 06:28 AM

Hello,
I have a lookup that will only have one column (MY_COL), this column will always have at least one row but could have multiple. I am trying to take the value of the row(s) and use them in a search query like this

index=my_index RuleID=(INSERT LOOKUP VALUES HERE, IF MULTIPLE MAKE IT AN OR STATEMENT)
| table RuleID, etc, etc,

Is there a clean way to do this?
Thanks in advance!

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 07:21 AM

Try a subsearch.

index=my_index RuleID=[ |inputlookup mylookup.csv | rename MY_COL as RuleID | fields | RuleID | format ]
| table RuleID, etc, etc,

If you run the subsearch by itself, you'll see how the lookup contents are converted into a series of OR clauses. 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 07:21 AM

Try a subsearch.

index=my_index RuleID=[ |inputlookup mylookup.csv | rename MY_COL as RuleID | fields | RuleID | format ]
| table RuleID, etc, etc,

If you run the subsearch by itself, you'll see how the lookup contents are converted into a series of OR clauses. 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

wwhite12
Path Finder
‎06-18-2020 07:30 AM

This worked
Although one weird thing I noted was I had to remove the "=" after RuleID to just have it as 
RuleID[ |inputlookup mylookup.csv | rename MY_COL as RuleID | fields RuleID | format]
| table RuleID, etc, etc

Thanks for the assist!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 08:34 AM
Actually, the RuleID shouldn't be there at all. The format command will create "RuleID=foo OR RuleID=bar" so it doesn't need to be there before the subsearch.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Observability Cloud’s AI Assistant in Action Series: Identifying Unknown ...

Agentic AI powers the Splunk AI Assistant within the Splunk Observability Cloud interface to help you quickly ...
Top