Solved: How can I use the result of subquery field as wild...

myusufe71 · ‎10-18-2024

I have subquery result as

host1

host2

And I want to put this all host result as host=* in the main query.

1. subquery

| inputlookup test.csv | search cluster="cluster1" | stats count by host | fields - count

2. main query

using subquery, as

index=abc host="*"

host="*" is subquery result.

Or is there any way to extract subquery result as host IN (host1, host2, host3) in main query?

gcusello · ‎10-18-2024

let me understand: you want to filter results of the main search with the results of the subsearch, is it correct?

in this case, please, try this:

index=abc [ | inputlookup test.csv WHERE cluster="cluster1" | dedup host | fields host ]

put only attention that the field to use as key (host) is the same in both main and sub search (it's case sensitive!).

Ciao.

Giuseppe

myusufe71 · ‎10-18-2024

Wow it works. @gcusello you are super duper. Thanks!

gcusello · ‎10-18-2024

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎10-18-2024

let me understand: you want to filter results of the main search with the results of the subsearch, is it correct?

in this case, please, try this:

index=abc [ | inputlookup test.csv WHERE cluster="cluster1" | dedup host | fields host ]

put only attention that the field to use as key (host) is the same in both main and sub search (it's case sensitive!).

Ciao.

Giuseppe

How can I use the result of subquery field as wildcard?