Splunk Search

Lookup Table search wildcards

balcv
Contributor

I have created a lookup table, service.csv

host,service,resource
"host1","fdl","all"
"host2","finance","db"
"host3","campus","web"
"host4","finance","db"
"host5","finance","db"
"host6","finance","app"
"host7","finance","app"

I have created a dashboard with 2 inputs, service and resource, which are both dropdown lists with various options in each, but also with an ALL option with a value of *.

The search linked to this dashboard is as follows:

index="*" source="*secure" ("keyboard")
| lookup "service.csv" host OUTPUT host,service,resource 
| where service="$service$" AND resource="$resource$"
| table service,resource,host,source,_raw | sort -_raw

When I select a specific service and a specific resource from the dropdown lists, the search returns the desired results from both the lookup table and the data source. However, when I select the ALL (*) option for either or both lists, it get no results returned.

The search looks like:

index="*" source="*secure" ("keyboard")
| lookup "service.csv" host OUTPUT host,service,resource 
| where service="*" AND resource="*"
| table service,resource,host,source,_raw | sort -_raw

Is there a way to resolve this so that I get return the desired results.

0 Karma
1 Solution

nareshinsvu
Builder

How about using search(without AND operator) instead of where?

| search service="*"  resource="*"

View solution in original post

nareshinsvu
Builder

How about using search(without AND operator) instead of where?

| search service="*"  resource="*"

balcv
Contributor

Sooooo simple!!. Thank you.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...