Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I append all lookup files with uncertain names (like(name,"record*%"))?

evelenke
Contributor
‎04-12-2018 10:21 AM

Hi Splunkers,

I have lookup with WiFi authentication data (IP-Addr, mac-addr, username) . Let's say name=wifiauth_records.csv
Periodically all records are saved to a new csv file (to the same app's directory) with equal first part of name, but with different second part which is actual date ( name=wifiauth_records_20180412.csv ).
As a result for some purpose initial file always contains only records for the last 7 days.
Now I want to create search which will open and join all this files on demand to make historical search by criteria. Something like | inputlookup wifiauth_records.csv | append [|inputlookup wifiauth_records_2018*.csv]
How can I do this with SPL?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

damien_chillet
Builder
‎04-13-2018 01:53 AM

You can try something like this:

| rest /services/data/lookup-table-files
| search title="wifiauth_records*"
| fields title
| map maxsearches=50 search="| inputlookup $title$"

Change maxsearches to a greater value if you have more than 50 lookups.

View solution in original post

Reply
Solved! Jump to solution
Solution

damien_chillet
Builder
‎04-13-2018 01:53 AM

You can try something like this:

| rest /services/data/lookup-table-files
| search title="wifiauth_records*"
| fields title
| map maxsearches=50 search="| inputlookup $title$"

Change maxsearches to a greater value if you have more than 50 lookups.

Reply
Solved! Jump to solution

evelenke
Contributor
‎04-13-2018 06:19 AM

Works, thank you!

0 Karma
Reply
Solved! Jump to solution

evelenke
Contributor
‎04-12-2018 11:01 AM

Stuck on this:

| inputlookup [| REST /services/data/lookup-table-files  | search eai:data=*myapp* title=wifiauth_records_201803* | fields title | eval append=" | append [ | inputlookup ", close=" ] " | eval title=append+title+close | fields title | stats values(title) as t | eval t=mvjoin(t,"") | eval a=" wifiauth_records " | eval a=a+t |  fields a | return $a]

I get error Error in 'inputlookup' command: Invalid argument: '|'

Subsearch query itself returns required string that should go after | inputlookup:

wifiauth_records| append [ | inputlookup wifiauth_records_20180303.csv ] | append [ | inputlookup wifiauth_records_20180310.csv ] ....
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...