Solved: Use Lookup value(s) as field values in search quer...

wwhite12 · ‎06-18-2020

Hello,
I have a lookup that will only have one column (MY_COL), this column will always have at least one row but could have multiple. I am trying to take the value of the row(s) and use them in a search query like this

index=my_index RuleID=(INSERT LOOKUP VALUES HERE, IF MULTIPLE MAKE IT AN OR STATEMENT)
| table RuleID, etc, etc,

Is there a clean way to do this?
Thanks in advance!

richgalloway · ‎06-18-2020

Try a subsearch.

index=my_index RuleID=[ |inputlookup mylookup.csv | rename MY_COL as RuleID | fields | RuleID | format ]
| table RuleID, etc, etc,

If you run the subsearch by itself, you'll see how the lookup contents are converted into a series of OR clauses.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-18-2020

Try a subsearch.

index=my_index RuleID=[ |inputlookup mylookup.csv | rename MY_COL as RuleID | fields | RuleID | format ]
| table RuleID, etc, etc,

If you run the subsearch by itself, you'll see how the lookup contents are converted into a series of OR clauses.

---
If this reply helps you, Karma would be appreciated.

wwhite12 · ‎06-18-2020

Thanks for the assist!

richgalloway · ‎06-18-2020

Actually, the RuleID shouldn't be there at all. The format command will create "RuleID=foo OR RuleID=bar" so it doesn't need to be there before the subsearch.

---
If this reply helps you, Karma would be appreciated.

Use Lookup value(s) as field values in search query

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?