Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to search across multiple lookup files to find text within them?

finchy
Explorer
‎01-27-2023 05:26 AM

Hi

Is there a way to search across multiple Lookup files to find text within them ?  I know that you can use | inputlookup to get the contents of a single lookup csv file but I'm trying to search for any csv files that might have a specific string value.

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-27-2023 05:57 AM

@finchy,

You can use below sample, it will search for  "text_to_search" value in all lookups. It is better to limit lookup files by filtering title.

 

| rest /servicesNS/-/-/data/lookup-table-files f=title 
| fields title 
| dedup title 
| map maxsearches=1000 search="|inputlookup $title$  | fieldsummary |eval lookup_name=$title$ | fields values field lookup_name " 
| spath input=values 
| rename {}.* as *| fields lookup_name field value 
| search value="text_to_search"

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

finchy
Explorer
‎01-27-2023 06:36 AM

Hi,

Thanks i get this error message and only returns a few records guess i don't have enough permissions

Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2023 06:43 AM

There's no need to grab lookup files from the indexers since the SH should have the same ones.  Use the splunk_server=local option to suppress the warning.

| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files f=title 
| fields title 
| dedup title 
| map maxsearches=1000 search="|inputlookup $title$  | fieldsummary |eval lookup_name=$title$ | fields values field lookup_name " 
| spath input=values 
| rename {}.* as *| fields lookup_name field value 
| search value="text_to_search"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2023 05:57 AM

Searching multiple lookup files requires using multiple lookup commands, one for each file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...