Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use a search result as a filename variable of a inputlookup statement

apietersen
Contributor
‎07-17-2018 07:06 AM

Hi,

I like to setup a kind of help-text library based on unique msgcode-xx.csv text files. (or internal/external tml pages/files)

With the code beneath I try to look for a filename in EVENTLIST_3v3 that I can use as an input for an appended inputlookup statement. Lookup goes ok, but I can not get it passed further as a filename argument for the next inputlookup statement.
Nb. the filename is stored in the EVENTLIST_3v3 .

What ever I tried nothing works sofar and I do not understand why a correct filename string can not be processed as parameter of a following (append,join etc) inputlookup command.

  • What do I miss here? Has some one have a clue?
  • Has some one have a better approach for this help-library functions (ie linking to html pages?)

| makeresults
| eval msgtxt="46 - No intervention needed" , msgcode=substr(msgtxt,0,2) | table msgcode
| lookup EVENTLIST_3v3 nr as msgcode OUTPUT helpdoc
| table helpdoc
| appendcols
[|inputlookup helpdoc | table *]

regards
Ashley Pietersen

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎07-19-2018 04:51 AM

I do it like this on a dashboard:

| lookup 
[ 
 | makeresults count=1 
 | eval env="$VARIABLE_FROM_DROPDOWN$"
 | eval lookupname=case
 (
  match(env,"prod.*"), "prod",
  match(env,"uat.*"), "uat",
  match(env,"qa.*"), "qa"
 ) 
 | fields lookupname 
 | return $lookupname 
] fieldInLookup AS fieldInData OUTPUTNEW fieldsFromLookup

So to adapt it for your use case i think this would work:

|inputlookup
[
| makeresults 
| eval msgtxt="46 - No intervention needed" , msgcode=substr(msgtxt,0,2) 
| table msgcode
| lookup EVENTLIST_3v3 nr as msgcode OUTPUT helpdoc
| fields helpdoc
| return $helpdoc
] | table *

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎07-19-2018 04:51 AM

I do it like this on a dashboard:

| lookup 
[ 
 | makeresults count=1 
 | eval env="$VARIABLE_FROM_DROPDOWN$"
 | eval lookupname=case
 (
  match(env,"prod.*"), "prod",
  match(env,"uat.*"), "uat",
  match(env,"qa.*"), "qa"
 ) 
 | fields lookupname 
 | return $lookupname 
] fieldInLookup AS fieldInData OUTPUTNEW fieldsFromLookup

So to adapt it for your use case i think this would work:

|inputlookup
[
| makeresults 
| eval msgtxt="46 - No intervention needed" , msgcode=substr(msgtxt,0,2) 
| table msgcode
| lookup EVENTLIST_3v3 nr as msgcode OUTPUT helpdoc
| fields helpdoc
| return $helpdoc
] | table *
0 Karma
Reply
Solved! Jump to solution

apietersen
Contributor
‎07-20-2018 12:06 AM

Hi jkat54,

Thanks for the code, that was very helpful. this works fine for what I am trying to achieve,.

I will need to look in to the details about your using "return $helpdoc" and the fact that you start with inputlookup which is the other way around as I did. Thanks again!!

My final code is now:

|inputlookup
     [
     | makeresults 
     | eval msgtxt="$nr$" , msgcode=substr(msgtxt,5,2) 
     | table msgcode
     | lookup EVENTLIST_3v3 nr as msgcode OUTPUT helpdoc
     | fields helpdoc
     | return $helpdoc
     ] | table help
best regards Ashley Pietersen
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎07-20-2018 03:57 AM

Glad to help.

The return and format commands are essential when using subsearches.

Use this command reference for more details on those two commands:

http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/ListOfSearchCommands

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...