Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Better search query way in terms of performance

N92
Path Finder
‎09-03-2019 06:38 AM

I have below search criteria so let me know best way for this.

base search (which have output in table format) [table sourcetype def ghi]
sourcetype= 1 check with static lookup and store respective result in "ghi" field
sourcetype= 2 check with static lookup and store respective result in "ghi" field

Tags (1)
0 Karma
Reply

tscroggins
Influencer
‎09-03-2019 09:13 AM

Create a simple lookup file, e.g. sourcetype_ghi_lookup.csv, with two fields, sourcetype and ghi. E.g. For sourcetype=1 and sourcetype=2:

sourcetype,ghi
1,"some ghi value"
2,"another ghi value"

| lookup sourcetype_ghi_lookup.csv sourcetype output ghi

You can use the file in both a lookup and automatic lookup definition to omit the lookup command in searches and populate the ghi field automatically.

0 Karma
Reply

somesoni2
Revered Legend
‎09-03-2019 07:00 AM

Give this a try

your base search
| lookup yourSourcetype1lookup.csv fieldName OUTPUT ghi as ghi1
| lookup yourSourcetype2lookup.csv fieldName OUTPUT ghi as ghi2
| eval ghi=iff(sourcetype="sourcetype1", ghi1,ghi2) | fields - ghi1 ghi2
0 Karma
Reply

N92
Path Finder
‎09-03-2019 08:42 AM

It works. Thanks @somesoni2

0 Karma
Reply

jpolvino
Builder
‎09-03-2019 06:47 AM

Can you please provide samples of what your table represents, and what you want to do with the two sourcetype lines you mention?

0 Karma
Reply

N92
Path Finder
‎09-03-2019 07:51 AM

| table dest user source sourcetype result
| lookup users.csv users as user OUTPUT host_name as result
| lookup users.csv source as user OUTPUT host_name as result

For both the lookup condition I am try to distinguish with sourcetype condition.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...