Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

For loop within Lookup Table

dlawler1
New Member
‎11-08-2021 01:05 PM

Hello! 

I have a lookup table that looks like the following: 

hosttimestamp
host110:33
host24:24

 

What I would like to do is "iterate" through the lookup table using the host field for host, and the timestamp for the search. Does anyone have any opinions/thoughts? 

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-08-2021 10:33 PM

Can you expand on what you mean by iterate and what you want do during the iteration.

You can use

| inputlookup lookup_name

to collect all the rows from the table, but I am not sure what you are trying to achieve.

 

0 Karma
Reply

dlawler1
New Member
‎11-09-2021 03:59 AM
@bowesmana wrote:

Can you expand on what you mean by iterate and what you want do during the iteration.

My plan would be to use cell one as a host, and search for the timestamp in cell two. 

index=index sourcetype=sourcetype host=<from cell one> "<from cell two>

And then repeat this, for the next row, and so on and so fourth. 

In bash/shell it would be pretty easy to accomplish this using the API, but unfortunately I do not have access to the API.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-09-2021 01:02 PM

So, if I understand correctly, you want to get data from an index relating to all hosts in the lookup and then get the timestamp from the lookup.

index=index sourcetype=sourcetype 
    [| inputlookup yourlookup.csv | fields host ]
| lookup yourlookup.csv host

What this is doing 

Line 1 - search your index 

Line 2 - Use a subsearch to add an additional constraint on your line 1 search which is derived from all the hosts in your lookup file.

Line 3 - then for all the events found from the above search, lookup the host in the event from the lookup file and get the timestamp.

I am sure there is more to your needs than just this, but hopefully this will help you get started.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-09-2021 04:55 AM

There is a solution for that but you shouldn't use it 🙂

But seriously - you can iterate over results of one search and call a subsearch for every row of the base search but it spawns a new search for every row in base search results so it's highly ineffective. And has some more limitations because of subsearch use.

But you might use the subsearch to generate sets of conditions for the base search.

If you have a subsearch returning sets of fields, they results are by default rendered as (pseudocode):

((row1field1name=row1field1value AND row1field2name=row1field2value AND ...) OR (row2field1name=row2field1value AND row2field2name=row2field2value AND ...) OR ...)

So you can just use

[ | inputlookup <yourlookup.csv> ]

to generate set of rules for your search.

You just have to be sure that your subsearch returns proper fields. So if your lookup contains different field names, you might want to | rename them.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
Top