Splunk Search

Create a lookup with search queries and have another search search those queries

Contributor

Is there a way i can have a search look at a lookup that has predefined search queries in each row and then run a search across those search queries?

Here's the Lookup:
testLOOKUP
testcolumn
index=test1 test search content1
index=test1 test search content2
index=test1 test search content3

Here's the search:

search [|inputlookup testLOOKUP | table testcolumn] | stats count by host

Would this roll through content1, content2, content3 and then provide results?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

"Rolling through" as in do one search per row? That'd be the map command:

| inputlookup testLOOKUP | map [search $testcolumn$] | stats count by host

That's not going to be fast, it'd be much faster to run this for your example:

index=text1 (test search content1) OR (test search content2) OR (test search content3) | stats count by host

This could be achieved by running this:

[inputlookup testLOOKUP | rename testcolumn as query | fields query] | stats count by host

Note, this assumes there is no piped commands in the lookup, only filters.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

"Rolling through" as in do one search per row? That'd be the map command:

| inputlookup testLOOKUP | map [search $testcolumn$] | stats count by host

That's not going to be fast, it'd be much faster to run this for your example:

index=text1 (test search content1) OR (test search content2) OR (test search content3) | stats count by host

This could be achieved by running this:

[inputlookup testLOOKUP | rename testcolumn as query | fields query] | stats count by host

Note, this assumes there is no piped commands in the lookup, only filters.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Not really, there just can't be any pipes involved.

0 Karma

Contributor

in the lookup column, would there be any restriction on how i have the query formatted?

Currently, the queries would look like this in the testcolumn

index="testindex" app="testapp" "search content"

0 Karma