Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use Lookup value(s) as field values in search query

wwhite12
Path Finder
‎06-18-2020 06:28 AM

Hello,
I have a lookup that will only have one column (MY_COL), this column will always have at least one row but could have multiple. I am trying to take the value of the row(s) and use them in a search query like this

index=my_index RuleID=(INSERT LOOKUP VALUES HERE, IF MULTIPLE MAKE IT AN OR STATEMENT)
| table RuleID, etc, etc,

Is there a clean way to do this?
Thanks in advance!

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 07:21 AM

Try a subsearch.

index=my_index RuleID=[ |inputlookup mylookup.csv | rename MY_COL as RuleID | fields | RuleID | format ]
| table RuleID, etc, etc,

If you run the subsearch by itself, you'll see how the lookup contents are converted into a series of OR clauses. 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 07:21 AM

Try a subsearch.

index=my_index RuleID=[ |inputlookup mylookup.csv | rename MY_COL as RuleID | fields | RuleID | format ]
| table RuleID, etc, etc,

If you run the subsearch by itself, you'll see how the lookup contents are converted into a series of OR clauses. 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

wwhite12
Path Finder
‎06-18-2020 07:30 AM

This worked
Although one weird thing I noted was I had to remove the "=" after RuleID to just have it as 
RuleID[ |inputlookup mylookup.csv | rename MY_COL as RuleID | fields RuleID | format]
| table RuleID, etc, etc

Thanks for the assist!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 08:34 AM
Actually, the RuleID shouldn't be there at all. The format command will create "RuleID=foo OR RuleID=bar" so it doesn't need to be there before the subsearch.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...