How to combine results of inputlookup and a search...

tcpcannon · ‎05-18-2023

I want to search from a lookup table, get a field, and compare it to a search and pull the fields from that search based off of a common field. I would rather not use |set diff and its currently only showing the data from the inputlookup.

| set diff
[| inputlookup all_mid-tiers WHERE host="ACN*" 
    | fields username Unit ]
    [ search index=iis 
        [| inputlookup all_mid-tiers WHERE host="ACN*" 
        | fields username ] 
    | dedup username 
    | dedup SiteIDOverride
    | eval username=lower(username) 
    | fields username SiteIDOverride unitType installVer os jkversion
        ] 
| join type=left
    [ search index="iis" sourcetype="iis" earliest=-7d@d 
        [| inputlookup all_mid-tiers Where host="*ACN*" 
        | fields username]   
    | dedup username 
    | eval username=lower(username) 
    | eval timedelta=now()-_time 
    | eval time_delta_days=floor(timedelta/86400) 
    | stats first(time_delta_days) as Status by username 
    | eval Status=if(Status<"0","0",Status) 
    | eval StatA=Status 
    | rangemap field=StatA OK=0-0 Monitor=1-1 Contact=2-9999 
    | rename range as Status 
        ] 

| lookup all_mid-tiers host AS SiteIDOverride OUTPUT Unit Weaponsystem Last_access
| eval Last_access=strftime(Last_access, "%Y-%m-%d")
| rename Weaponsystem as unitType
| dedup Unit

| table Status Unit SiteIDOverride unitType installVer os jkversion Last_access

I can't seem to get it to pull SiteIDOverride unitType...^^ from the search.

How to combine results of inputlookup and a search to a table?

lookup

subsearch

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

Are you a member of the Splunk Community?