Splunk Search
Highlighted

How to pass a value to the |inputlookup where , inside a subsearch

Explorer

I have a search:

index=examp1 sourcetype=json application=myservice
NOT [|inputlookup aps_test_filter.csv where application=<>| fields application prod_issue filter_field filter_values| eval {filter_field}=filter_values | fields - filter_field filter_values | stats values(*) as * by prod_issue | fields - prod_issue]

The CSV files has a set of filters to apply for each application. It is correctly output-ing these filters to my main search string as follows:

`NOT ((application=myservice AND field1prodissue1=value AND field2prodissue1=value)

OR (application=myservice AND field1prodissue2=value AND field2prodissue2=value))`

The problem is I have a ton of filters in the CSV and I don't need them all to be looked up and applied to the search string, I only want the rows that match the correct application to be used.

I know that the subsearch runs first, which prevents me from passing values to it from my main search. Is there a way to achieve this? I have everything from the NOT, onward, in a macro that I want to append to all my alerts, reports.

Thanks!

0 Karma
Highlighted

Re: How to pass a value to the |inputlookup where , inside a subsearch

Champion

Hi AVOLLMER,

Try using this map command. Refer below link:
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Map

0 Karma
Highlighted

Re: How to pass a value to the |inputlookup where , inside a subsearch

Explorer

Thanks for you answer pgurav , unfortunately, I don't see how I can prepend the results from the map subsearch with the NOT operator to filter the results in my original search as indicated in the questions.
If I do this:
`index=examp1 sourcetype=json application=myservice |map[|inputlookup aps
testfilter.csv where application=$application$| fields application prodissue filterfield filtervalues| eval {filterfield}=filtervalues | fields - filterfield filtervalues | stats values(*) as * by prodissue | fields - prodissue]`

0 Karma
Highlighted

Re: How to pass a value to the |inputlookup where , inside a subsearch

SplunkTrust
SplunkTrust

How are you passing application name to your main search?

0 Karma
Highlighted

Re: How to pass a value to the |inputlookup where , inside a subsearch

Explorer

I want to pass application name from my main search to the subsearch to use it to filter values in the inputlookup and extract the values I want to use to filter the main search.

My csv files has application, filterfield , filtervalues, prodissue, timestamp, user. I don't care about the last 2 columns... my subquery takes those columns and for each prodissue make a parenthesis set with OR statements between them.. inside the parenthesis is has application=myservice AND field1_prod_issue1=value AND field2_prod_issue1=value for each field / value pair that exists per prod_issue, as shown in the example above. They way I currently have it set up, it works fine, except it pulls all of the for every application...but I only want it to pull the field / value pairs for the application currently being searched for, not EVERY possible combination.

0 Karma
Highlighted

Re: How to pass a value to the |inputlookup where , inside a subsearch

SplunkTrust
SplunkTrust

So you want to take all the application from index=examp1 sourcetype=json and only apply filters for those apps?
If yes, you can do this dirty workaround:

index=examp1 sourcetype=json  NOT [|inputlookup aps_test_filter.csv | where [search index=examp1 sourcetype=json | stats count by application | table application]| fields application prod_issue filter_field filter_values| eval {filter_field}=filter_values | fields - filter_field filter_values | stats values(*) as * by prod_issue | fields - prod_issue]

But it may be more in-efficient than having all application filters being applied (subsearch inside subsearch). What's the problem that you see when all application filters are applied?

0 Karma
Highlighted

Re: How to pass a value to the |inputlookup where , inside a subsearch

Explorer

That work around wouldn't work as any index or sourcetype could be used, and a user might pick an application or 3 applications might result from the rest of whatever they happen to be searching for. Then I would have to pass the whole search inside.

I don't necessarily have a problem with it pulling all of the values out, it works as expected, I just anticipate this lookup to grow really big and it could have a couple hundred AND / OR combinations to filter on if I can't figure out a way to only pull only those filters that are applicable to the applications which result from the main search.

0 Karma