I have a lookup table with a bunch of results. There is a a field called "accounts" representing a list of customers. Our splunk index has data on many more accounts than the lookup table has. How can I limit the results of my query to only the ones in the Lookup table?
In pseudo code terms, I want to pull all accounts from the lookup table into the array, then limit my search with a WHERE command to the accounts in the array.
Search like so;
your_search_for_all_events_with_accounts [| inputlookup your_lookup_file | fields + accounts]
the subsearch (in square brackets) will run first and return a list of acctouns in the format
(accounts=aaaa) OR (accounts=bbbb) OR (accounts=cccc) OR (accounts=dddd)
which are added to the outer search, which is then run.
/k
Search like so;
your_search_for_all_events_with_accounts [| inputlookup your_lookup_file | fields + accounts]
the subsearch (in square brackets) will run first and return a list of acctouns in the format
(accounts=aaaa) OR (accounts=bbbb) OR (accounts=cccc) OR (accounts=dddd)
which are added to the outer search, which is then run.
/k