Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use a variable from a lookup in a search?

wgawhh5hbnht
Communicator
‎06-21-2023 05:37 AM

I have a lookup table that contains usernames and userids. I want to use this to match a username to userid & vice versa. I want to take the output from said lookup and search across multiple indexes for the username OR the userid. It would look ruffly something like this:

|inputlookup username2userid.csv 
| search username=a@a.com 
| table username userid
| search (index=a $username$) OR (index=b $userid$)

 

If I manually replace either variable with the actual values the search works. Is it not possible to pass a variable from a lookup into a search?

 

Thank you in advance! 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2023 06:34 AM

Please try 

| inputlookup "username2userid.csv" 
| search username=a
| table username, userid 
| map search="search index=a $userid$"

this should works 

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2023 05:49 AM

Hi

basically you have two options:

  • use your current query (last line) with map command
  • Switch the order to reverse and use sub queries to get those username and userid

It depends on your event amounts etc. which one is better.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

wgawhh5hbnht
Communicator
‎06-21-2023 06:22 AM

1. Thank you for the response. I'm getting the following error when using the map command:

Unable to run query '(index=a "<REDACTED>") OR (index=b "<REDACTED>")'

I don't see anything in the search.log that is causing errror and I've tried specifying fields for both variables.

If I only search one index with one variable I get a similar error.
SEARCH:

| inputlookup "username2userid.csv" |search username=a
| table username, userid 
| map search="index=a $userid$"

ERROR:

Unable to run query 'index=hyperion "<REDACTED>"'

 

 

2. I'm unsure what you mean by "Switch the order to reverse and use sub queries to get those username and userid". May I have an example please?

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2023 06:34 AM

Please try 

| inputlookup "username2userid.csv" 
| search username=a
| table username, userid 
| map search="search index=a $userid$"

this should works 

Reply
Solved! Jump to solution

wgawhh5hbnht
Communicator
‎06-21-2023 06:38 AM

That was it! Thank you for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...