Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a base search that uses values from a multi-value field as indices?

jsven7
Communicator
‎09-03-2020 11:50 AM

I have a lookup table. Let's say the lookup table contains a column called "a". The "a" column contains a list of indices.

How can I perform a stats count of logs found in each index from the "a" column?

 

| inputlookup lookuptable.csv
| table a

 

 

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-03-2020 02:01 PM

If I understand the question, this may help.  

| inputlookup lookuptable.csv 
| fields a
| mvexpand a
| map search="search index=$a$"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-08-2020 07:29 AM

If the field is not multivalue then mvexpand will not do anythihg to it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-03-2020 02:01 PM

If I understand the question, this may help.  

| inputlookup lookuptable.csv 
| fields a
| mvexpand a
| map search="search index=$a$"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jsven7
Communicator
‎09-08-2020 07:15 AM

@richgalloway  - thanks Rich. May I ask, what if some of the values are multivalued, pipe-deliminated values. How may I make $a$ single-valued?

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...