Solved: How to drop field name from a lookup table similar...

wills2g · ‎06-25-2018

Hi All,

To give some context, the return function in Splunk when used with a subsearch allows you to drop the field name when used with the "$" symbol. So for example in the subsearch: [search index=A | fields test | return $test], rather than returning test=B or test=C, this will only return "B" and "C".

If I create a search like: index=A inputlookup lookup.csv | return $test, is there any way to only return the value in the inputlookup "B" and not test=B. Or if there are any other ways to do this?

Thanks

HiroshiSatoh · ‎06-25-2018

Use query.

index=A  [inputlookup lookup.csv | rename test as query]

View solution in original post

HiroshiSatoh · ‎06-25-2018

Use query.

index=A  [inputlookup lookup.csv | rename test as query]

wills2g · ‎06-26-2018

Thanks for that, it works great. Would you be able to explain what renaming to query does?

HiroshiSatoh · ‎06-26-2018

It is described in the manual.

https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Changetheformatofsubsearchresults

Only the first one
index = * [inputlookup xxx.csv | fields col_a | rename col_a as search]
-> index = * "AA"

In case of all cases
index = * [inputlookup xxx.csv | fields col_a | rename col_a as query]
-> index = * ("AA" OR "CC")

How to drop field name from a lookup table similar to the return function?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!