Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do a lookup with results of another lookup

kmcaloon
Explorer
‎03-16-2016 01:35 PM

Does anyone know if this is possible? I have a search that works that gives me results for a particular user from a csv.

| inputlookup ldapsearch_corporate_identities | search identity="particular userid"

This lookup gives me the AD information for "particular userid".

I have another csv being generated with a list of userids that we want to pull information for. I'm wondering if I can get the first search to run and return results for each user listed in the second csv. Below is what I have so far. The search itself does list each userid in my csv. But I can't seem to get them to work together. Each user id is listed in a column called target_userid.

| inputlookup ldapsearch_corporate_identities|search [|inputlookup machines.csv |fields target_userid | dedup target_userid | mvexpand target_userid] | search identity=target_userid

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-16-2016 02:29 PM

Try something like this

|inputlookup machines.csv |fields target_userid | dedup target_userid | mvexpand target_userid | lookup ldapsearch_corporate_identities identity as target_userid

This will fetch the corresponding AD information for each target_userid.

View solution in original post

Reply
Solved! Jump to solution

kmcaloon
Explorer
‎03-16-2016 03:37 PM

Thanks to both of you for the suggestions. This worked perfectly!

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-16-2016 02:29 PM

Try something like this

|inputlookup machines.csv |fields target_userid | dedup target_userid | mvexpand target_userid | lookup ldapsearch_corporate_identities identity as target_userid

This will fetch the corresponding AD information for each target_userid.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-16-2016 02:02 PM

You should be able to do something like this:

| inputlookup ldapsearch_corporate_identities | search [inputlookup machines.csv | fields target_userid | dedup target_userid | rename target_userid as identity]

I'm a little confused about your mvexpand though, does the machines.csv contain multivalue target_userid fields?

Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...