- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to search a splunk search result?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search a splunk search result?
I have a macro named X that uses the lookup in the search and produces the results as follows
indexes
index IN ("ABC","DEF")
where as indexes is column name
Now I want to use the macro X result (index IN ("ABC","DEF")) in a separate search as follows
my_search | where `X`
which should execute as below
my_search | where index IN ("ABC","DEF")
Now how can I achieve that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pavanae,
let me understand:
- you have a lookup containing a list of indexes,
- you want to use this list of indexes in a search,
- you whould use a macro,
is it correct?
At first, if you have a macro, you don't need to use a lookup, in your macro, you could insert the list of indexes to search, also because I suppose that they aren't so many, otherwise I hint to re-design your indexes structure!
This is e.g. the approach of Enterprise Security DataModels: in each datamodel there's a macro called "datamodel_name_indexes" and in this macro there a command like your:
index IN (index1, index2)But, anyway, if you would use a lookup, you don't need a macro, you could use a subsearch:
your_search [ | inputlookup indexes.csv | fields index ]
| ...At least, if you want to use in any case a macro, you could create a macro containing the above subsearch and use the macro in your search.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does anyone happens to know , how can we restrict users from export data via RestAPI, CLI ?
would appreciate splunk documentation .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @gcusello for the quick response. Apologies for the confusion. To your question :- No, My macro contains nothing but the lookup and some filtering which produces the results as follows
indexes
index IN ("ABC","DEF")Now I wanted to use the macro's results as a subsearch. Now, I cannot use the lookup directly as I have too many indexes. All I wanted to take into account for the subsearch is just as below
index IN ("ABC","DEF")
but for now as I have a column name as indexes I am getting the subsearch as below which ending up with an error
indexes=index IN ("ABC","DEF")
Now, is there any way to tweak my subsearch or macro take the below into account which will work?
index IN ("ABC","DEF")
Where as my full search would be something like below after expanding the macro
My_Search | where index IN ("ABC","DEF")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pavanae,
the last solution isn't a good idea because it's a best practice to putt all the search terme as left as possible and use the search command only if you have somthing to elaborate, if you have a field in the main search is always better to put all the search terms in the main search.
Anyway, if you have many indexes (and I don't like this!) you can put them in a lookup and use a subsearch, as I hinted in my last answer:
your_search [ | inputlookup indexes.csv | fields index ]
| ...I don't understand why you don't want this solution!|
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcuselloAs a side note - with simple searches, splunk can sometimes optimize the search in some obvious cases. So
search | search a=b
will get optimized to
search a=b
But of course I wuldn't rely on it and writing efficient searches is a good practice that should be followed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have three issues here.
One is a macro. Macro is a relatively simple string substitution. It's being evaluated before running the search so you expand it in search bar with some key combination (ctrl-shift-e?)
Second one is the contents of this macro which can be anything - even something syntactically incorrect - in such case the macro would get expanded but your resulting search would throw an error. It can have a subsearch running a inputlookup and some processing - no problem here.
Third one is the syntax of the subsearch results. By default the subsearch results get formatted in some particular way (an alternative of various returned field combinations). If you want it returned other way, you have to prepare the resulting text and use return to return a raw output as you want it.
And finally I'm not 100% sure you can use a IN (b,c) syntax with where. You can do this with search but I'm not sure about where.
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
