Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to drop field name from a lookup table similar to the return function?

wills2g
New Member
‎06-25-2018 10:06 PM

Hi All,

To give some context, the return function in Splunk when used with a subsearch allows you to drop the field name when used with the "$" symbol. So for example in the subsearch: [search index=A | fields test | return $test], rather than returning test=B or test=C, this will only return "B" and "C".

If I create a search like: index=A inputlookup lookup.csv | return $test, is there any way to only return the value in the inputlookup "B" and not test=B. Or if there are any other ways to do this?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎06-25-2018 10:32 PM

Use query.

index=A  [inputlookup lookup.csv | rename test as query]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎06-25-2018 10:32 PM

Use query.

index=A  [inputlookup lookup.csv | rename test as query]
0 Karma
Reply
Solved! Jump to solution

wills2g
New Member
‎06-26-2018 04:15 PM

Thanks for that, it works great. Would you be able to explain what renaming to query does?

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎06-26-2018 05:46 PM

It is described in the manual.

https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Changetheformatofsubsearchresults

Only the first one
index = * [inputlookup xxx.csv | fields col_a | rename col_a as search]
-> index = * "AA"

In case of all cases
index = * [inputlookup xxx.csv | fields col_a | rename col_a as query]
-> index = * ("AA" OR "CC")
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...