Solved: How to drop field name from a lookup table similar...

wills2g · ‎06-25-2018

Hi All,

To give some context, the return function in Splunk when used with a subsearch allows you to drop the field name when used with the "$" symbol. So for example in the subsearch: [search index=A | fields test | return $test], rather than returning test=B or test=C, this will only return "B" and "C".

If I create a search like: index=A inputlookup lookup.csv | return $test, is there any way to only return the value in the inputlookup "B" and not test=B. Or if there are any other ways to do this?

Thanks

HiroshiSatoh · ‎06-25-2018

Use query.

index=A  [inputlookup lookup.csv | rename test as query]

View solution in original post

HiroshiSatoh · ‎06-25-2018

Use query.

index=A  [inputlookup lookup.csv | rename test as query]

wills2g · ‎06-26-2018

Thanks for that, it works great. Would you be able to explain what renaming to query does?

HiroshiSatoh · ‎06-26-2018

It is described in the manual.

https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Changetheformatofsubsearchresults

Only the first one
index = * [inputlookup xxx.csv | fields col_a | rename col_a as search]
-> index = * "AA"

In case of all cases
index = * [inputlookup xxx.csv | fields col_a | rename col_a as query]
-> index = * ("AA" OR "CC")

How to drop field name from a lookup table similar to the return function?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

Are you a member of the Splunk Community?

How to drop field name from a lookup table similar to the return function?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk