Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

For loop within Lookup Table

dlawler1
New Member
‎11-08-2021 01:05 PM

Hello! 

I have a lookup table that looks like the following: 

hosttimestamp
host110:33
host24:24

 

What I would like to do is "iterate" through the lookup table using the host field for host, and the timestamp for the search. Does anyone have any opinions/thoughts? 

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-08-2021 10:33 PM

Can you expand on what you mean by iterate and what you want do during the iteration.

You can use

| inputlookup lookup_name

to collect all the rows from the table, but I am not sure what you are trying to achieve.

 

0 Karma
Reply

dlawler1
New Member
‎11-09-2021 03:59 AM
@bowesmana wrote:

Can you expand on what you mean by iterate and what you want do during the iteration.

My plan would be to use cell one as a host, and search for the timestamp in cell two. 

index=index sourcetype=sourcetype host=<from cell one> "<from cell two>

And then repeat this, for the next row, and so on and so fourth. 

In bash/shell it would be pretty easy to accomplish this using the API, but unfortunately I do not have access to the API.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-09-2021 01:02 PM

So, if I understand correctly, you want to get data from an index relating to all hosts in the lookup and then get the timestamp from the lookup.

index=index sourcetype=sourcetype 
    [| inputlookup yourlookup.csv | fields host ]
| lookup yourlookup.csv host

What this is doing 

Line 1 - search your index 

Line 2 - Use a subsearch to add an additional constraint on your line 1 search which is derived from all the hosts in your lookup file.

Line 3 - then for all the events found from the above search, lookup the host in the event from the lookup file and get the timestamp.

I am sure there is more to your needs than just this, but hopefully this will help you get started.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-09-2021 04:55 AM

There is a solution for that but you shouldn't use it 🙂

But seriously - you can iterate over results of one search and call a subsearch for every row of the base search but it spawns a new search for every row in base search results so it's highly ineffective. And has some more limitations because of subsearch use.

But you might use the subsearch to generate sets of conditions for the base search.

If you have a subsearch returning sets of fields, they results are by default rendered as (pseudocode):

((row1field1name=row1field1value AND row1field2name=row1field2value AND ...) OR (row2field1name=row2field1value AND row2field2name=row2field2value AND ...) OR ...)

So you can just use

[ | inputlookup <yourlookup.csv> ]

to generate set of rules for your search.

You just have to be sure that your subsearch returns proper fields. So if your lookup contains different field names, you might want to | rename them.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...