Splunk Search

How can I search the content of all my lookups?

gabriel_vasseur
Contributor

I want a way to search the content of all my lookups.

If I had just one lookup, I would do something like:

 

 

| inputlookup myonelookup.csv 
| foreach * 
    [| eval matching_field_and_value = mvappend( matching_field_and_value, if( match( '<<FIELD>>', "mysearchpattern" ), "<<FIELD>>" . "::". '<<FIELD>>' , null() ) )] 
| search matching_field_and_value=*
| table matching_field_and_value *

 

 

If I knew I wanted to search a few known lookups I would replace the first line with

 

 

| inputlookup append=t lookup1.csv
| inputlookup append=t lookup2.csv
| inputlookup append=t lookup3.csv

 

 

But what if I want to search through all my lookups?

I can get a list of lookups via the right rest commands, and I've been thinking about converting the list in a list of fields and using a foreach loop on these fields but you can't put a "non streaming command" such as inputlookup inside a forearch subsearch...

Any other idea?

The solution needs to work in cloud, so needs to be pure splunk. On premise I know my way with grep and I know it works really well.

Labels (1)
Tags (1)