Solved: Limit search results to those in a LOOKUP table

atornes · ‎12-11-2013

I have a lookup table with a bunch of results. There is a a field called "accounts" representing a list of customers. Our splunk index has data on many more accounts than the lookup table has. How can I limit the results of my query to only the ones in the Lookup table?

In pseudo code terms, I want to pull all accounts from the lookup table into the array, then limit my search with a WHERE command to the accounts in the array.

kristian_kolb · ‎12-11-2013

Search like so;

your_search_for_all_events_with_accounts [| inputlookup your_lookup_file | fields + accounts]

the subsearch (in square brackets) will run first and return a list of acctouns in the format

(accounts=aaaa) OR (accounts=bbbb) OR (accounts=cccc) OR (accounts=dddd)

which are added to the outer search, which is then run.

/k

View solution in original post

kristian_kolb · ‎12-11-2013

Search like so;

your_search_for_all_events_with_accounts [| inputlookup your_lookup_file | fields + accounts]

the subsearch (in square brackets) will run first and return a list of acctouns in the format

(accounts=aaaa) OR (accounts=bbbb) OR (accounts=cccc) OR (accounts=dddd)

which are added to the outer search, which is then run.

/k

Limit search results to those in a LOOKUP table

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?

Limit search results to those in a LOOKUP table

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...