Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to search across multiple lookup files to find text within them?

finchy
Explorer
‎01-27-2023 05:26 AM

Hi

Is there a way to search across multiple Lookup files to find text within them ?  I know that you can use | inputlookup to get the contents of a single lookup csv file but I'm trying to search for any csv files that might have a specific string value.

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-27-2023 05:57 AM

@finchy,

You can use below sample, it will search for  "text_to_search" value in all lookups. It is better to limit lookup files by filtering title.

 

| rest /servicesNS/-/-/data/lookup-table-files f=title 
| fields title 
| dedup title 
| map maxsearches=1000 search="|inputlookup $title$  | fieldsummary |eval lookup_name=$title$ | fields values field lookup_name " 
| spath input=values 
| rename {}.* as *| fields lookup_name field value 
| search value="text_to_search"

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

finchy
Explorer
‎01-27-2023 06:36 AM

Hi,

Thanks i get this error message and only returns a few records guess i don't have enough permissions

Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2023 06:43 AM

There's no need to grab lookup files from the indexers since the SH should have the same ones.  Use the splunk_server=local option to suppress the warning.

| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files f=title 
| fields title 
| dedup title 
| map maxsearches=1000 search="|inputlookup $title$  | fieldsummary |eval lookup_name=$title$ | fields values field lookup_name " 
| spath input=values 
| rename {}.* as *| fields lookup_name field value 
| search value="text_to_search"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2023 05:57 AM

Searching multiple lookup files requires using multiple lookup commands, one for each file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...