- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I combine 2 searches consisting of inp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I combine 2 searches consisting of inputlookup and outputlookups?
how can i combine queries to populate a lookup table?
I have a lookup table with the following values
item
1
2
3
i'm using the splunk web framework to allow a user to insert an item. if the user enters 3 then item 3 is changed to 4 and item 3 is inserted. the field input_item represents the value entered by the user. i'm using the query below to first renumber item 3 to 4 and to insert item 3 via an appended search.
| inputlookup item.csv
| eval input_item = 3
| eval itemnumber = if(itemnumber >= input_item, itemnumber +1, itemnumber)
| fields - input_item
| outputlookup item.csv
| append [
| inputlookup item.csv | stats count as testcount
| eval input_item =3
| eval itemnumber = input_item
| fields - testcount
| outputlookup item.csv append=true]
unfortunately, the new item is created with a value of 4 instead of 3.
is there way to combine these two queries or do i need to create 2 separate queries via 2 separate searches in the search manager?
thanks in advance,
Peter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pc1234 since you are anyways using Splunk Web Framework, this scenario seems to be a valid case for KV Store. So, you should try KV Store in place of Lookup: http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEZT
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PC1234, looks like you just want to modify your CSV and add a row to it. I am guessing that the csv gets evaluated once in the query, so try this:
| inputlookup item.csv
| eval input_item = 3
| eval itemnumber = if(itemnumber >= input_item, itemnumber +1, itemnumber)
| append [|makeresults | eval itemnumber = input_item | table itemnumber]
| fields - input_item
| outputlookup item.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI, I verified that the lookup is only loaded/evaluated when the search gets parsed by doing this:
| makeresults
| eval data= "ITEM=1 ;ITEM=2; ITEM=3"
| makemv data delim=";"
| mvexpand data
| rename data as _raw | KV | table ITEM | outputlookup items.csv | append [|inputlookup items.csv]
If the lookukp were processed for each reference, I would get two records each for ITEM=1, ITEM=2, ITEM=3
Instead the results look like:
ITEM
1
2
3
Run the same query again and I get:
ITEM
1
2
3
1
2
3
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
