Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Hi All, how can i take result (which is a macro ) of inputlookup table and use that result to extract data from the macro ??

Anantha123
Communicator
‎10-12-2018 12:06 PM

| inputlookup ED_ENDI_Digital_Flow
| search Flow="ED_ENDI_FLOW_"
| search Step="ED_ENDI_STEP"
| rex field=Step "ED_ENDI_STEP_(?\w+)"
| stats values(Title1) as titleVals
| eval hostFilter="(ED_ENDI_STEP_".mvjoin(titleVals, ") OR (ED_ENDI_STEP_").")"
| fields hostFilter

host filter will have list of macros as a result as below format

o/p - (macro1) OR ('macro2') OR (macro3) .....

I want value of hostFilter to be appeared in below query to use the values in these macros (results of hostFilters)

index=* ***(hostFilter macros i.e (macro1) OR ('macro2') OR (macro3) .... ) | stats count as Total

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Anantha123
Communicator
‎10-16-2018 07:30 AM

We can use Base search for Inputlookup query and link the result to Panel query by using data element

<query>

| inputlookup ED_ENDI_Digital_Flow
| search Flow="ED_ENDI_FLOW_"
| search Step="ED_ENDI_STEP"
| rex field=Step "ED_ENDI_STEP_(?\w+)"
| stats values(Title1) as titleVals
| eval hostFilter="(ED_ENDI_STEP_".mvjoin(titleVals, ") OR (ED_ENDI_STEP_").")"
| fields hostFilter

<earliest>$Time.earliest$</earliest>
<latest>$Time.latest$</latest>
<done>
  <set token="ABC">$result.finaldata$</set>
</done>

<panel>
  <table>
    <title>test $ABC$</title>
    <search>
      <query>index=* $ABC$ |stats  count AS Total </query>
      <earliest>$Time.earliest$</earliest>
      <latest>$Time.latest$</latest>
    </search>
    <option name="drilldown">none</option>
  </table>
</panel>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Anantha123
Communicator
‎10-16-2018 07:30 AM

We can use Base search for Inputlookup query and link the result to Panel query by using data element

<query>

| inputlookup ED_ENDI_Digital_Flow
| search Flow="ED_ENDI_FLOW_"
| search Step="ED_ENDI_STEP"
| rex field=Step "ED_ENDI_STEP_(?\w+)"
| stats values(Title1) as titleVals
| eval hostFilter="(ED_ENDI_STEP_".mvjoin(titleVals, ") OR (ED_ENDI_STEP_").")"
| fields hostFilter

<earliest>$Time.earliest$</earliest>
<latest>$Time.latest$</latest>
<done>
  <set token="ABC">$result.finaldata$</set>
</done>

<panel>
  <table>
    <title>test $ABC$</title>
    <search>
      <query>index=* $ABC$ |stats  count AS Total </query>
      <earliest>$Time.earliest$</earliest>
      <latest>$Time.latest$</latest>
    </search>
    <option name="drilldown">none</option>
  </table>
</panel>
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-16-2018 08:36 AM

@Anantha123 Is your problem resolved? If so, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Anantha123
Communicator
‎10-16-2018 06:12 PM

Yes, with above code. I am able to get the result of base search dragged in to the panel query

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...