Splunk Search

Iterate Through Field Values in Static File

mconte01
Explorer

I need to get the most recent event from about 100 different "channels" that are defined in my data. But the only way I know of to do this would be "chan_name='x' OR "chan_name='y' ..." for 100 different channel names. What I want is to be able to feed Splunk a static file with all of these names listed and then iterate over each one. Is this possible?

The query would need to look something like this:

sourcetype="foo" chan_name="[channel_name]" | head 1

where [channel_name] would take the value of each name listed in the static file.

Tags (1)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

Yes, through a combination of inputlookup and subsearches. But head won't work because it doesn't understand a 'by' clause. So, we'll approach it like this:

sourcetype="foo" [ | inputlookup channel_names.csv ] | dedup chan_name

You'll need to define a file in $SPLUNK_HOME/etc/system/lookups called channel_names.csv. Its contents should be as follows:

chan_name
x
y
z
p
foo
bar
baz
potato
bacon
.
.
.
channel100

The end result is that Splunk will read the lookup, and as output of the subsearch "fill in" the outside search with a list of values from the CSV file. Then, dedup will keep the most recent event for each value of chan_name. (The use of dedup may not be the most efficient way of doing this)

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

Yes, through a combination of inputlookup and subsearches. But head won't work because it doesn't understand a 'by' clause. So, we'll approach it like this:

sourcetype="foo" [ | inputlookup channel_names.csv ] | dedup chan_name

You'll need to define a file in $SPLUNK_HOME/etc/system/lookups called channel_names.csv. Its contents should be as follows:

chan_name
x
y
z
p
foo
bar
baz
potato
bacon
.
.
.
channel100

The end result is that Splunk will read the lookup, and as output of the subsearch "fill in" the outside search with a list of values from the CSV file. Then, dedup will keep the most recent event for each value of chan_name. (The use of dedup may not be the most efficient way of doing this)

View solution in original post

mconte01
Explorer

This worked perfectly. Thanks a lot!

0 Karma

mconte01
Explorer

I had used lookups for display purposes but I didn't know you could pass them in as inputs to searches so thanks a lot. channel_names.csv doesn't actually exist yet since I'm waiting for someone else to generate that for me but I will let you know how it works when I test it out. Thanks!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!