Splunk Search

How to club data from an index and a file to club?

srikanth_gurram
New Member

I am trying to club data from one source type with a search input from a formatted CSV file, however I can send only one value as the input for the search.
My requirement is that with that input value I want to send 2 or 3 related fields for the final output.

 

index=cdr source=* sourcetype=cdr globalCallId_ClusterID=main destDeviceName IN ( [
  |inputlookup Wireless.csv |rex field=USERID "(?<USERID>\w{6})$"
  | eval destDeviceName="ABC" + 'USERID' + "*"
  | table destDeviceName
  | mvcombine destDeviceName
  | nomv destDeviceName
  | return $destDeviceName])
| table globalCallId_ClusterID globalCallID_callId callingPartyNumber originalCalledPartyNumber origDeviceName destDeviceName DateTimeOrigination DisconnectTime duration

 

 

The above query gives me a user with specific values which will match the input for destDeviceName , however when that is formatted in table i want to add additional fields to the tabel that corresponds to the input look up file.

 

Labels (1)
0 Karma

srikanth_gurram
New Member

Hi Rick,

Thank you for the reply, my mvcombine and nomv is already combining the data for destdevicename so that all the values in the destDeviceName are being searched. however during this result display i wanted to add 2 additional fields from the csv file.

Capture.PNGCapture2.PNG

 

here i wanted in teh final result with the country and worker title, i want my search to go with origdevicename but the output should be with the values with those associated along in the csv file along with country and others as in screenshot.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'm getting confused 🙂

If you want to use the lookup to - well - look up values from the lookup, don't use subsearches and inputlookup. Use the lookup "straight".

<your search>
| lookup yourlookup.csv inputfield [possible output fields]

If you want to limit your search by using the lookup to create additional conditions, you'd still need to use your subsearch (but again - without the IN clause and return - just use the subsearch and let splunk do its magic with formatting the output of the subsearch).

Remember that subsearch is getting evaluated before your main search and returns a static text which is substituted into the main search. So if you want to use the same lookup twice in two different ways (once for creating additional conditions, and once for enriching the results), you have to call it twice in two different ways.

<your search> [ | inputlookup yourlookup.csv
     | whatever
     | table origDeviceName ]
| lookup yourlookup.csv origDeviceName OUTPUT whatever output fields you want

This way the subsearch would get evaluated first, and that would effectively produce the main search as:

<your search> (origDeviceName="value1" OR origDeviceName="value2" OR origDeviceName="value3"...)
| lookup yourlookup.csv [...]

So for every result from the search the lookup against your csv file would be performed and return the defined set of fields.

You can't do that all with just one (input)lookup. Especially within the subsearch since it's evaluated just once before the main search.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Don't use the "return" command at the end of your subsearch and don't wrap it in destDeviceName IN [...].

If you simply return a set of results from your subsearch it will be formatted by default as a set of conditions in form of

destDeviceName="val1" OR destDeviceName="val2" OR ...

 

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...