Splunk Search

Nested lookup search

g_paternicola
Path Finder

Hi everyone,  I'm trying to get the following search work, but for some reason I'm doing something wrong:

 

inputlookup events_lookup
| eval key = _key 
|search key in
[| inputlookup notable_events_lookup search name="tobedeleted" | fields - _time | fields event_id] 
|table key

 

I'm basically trying to import event_id from a lookup ( notable_events_lookup) which is matching to another lookup (evets_lookup) in order to remove the matching event in the lookup (events_lookup)

I hope it makes sense what I'm trying to explain. Thanks everyone

 

Labels (2)
0 Karma
1 Solution

aasabatini
Motivator

Hi @g_paternicola 

 

try this

inputlookup events_lookup
| eval key = _key 
| search [| inputlookup notable_events_lookup search name="tobedeleted" | fields - _time | rename event_id as key | fields key] 
|table key
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

aasabatini
Motivator

Hi @g_paternicola 

 

try this

inputlookup events_lookup
| eval key = _key 
| search [| inputlookup notable_events_lookup search name="tobedeleted" | fields - _time | rename event_id as key | fields key] 
|table key
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Taruchit
Contributor

Hi @aasabatini 

I have the below SPL: -

| inputlookup table1.csv where index="xxx" | fields index, host 
| search NOT [search index="xxx" | dedup host | table index, host]

I have table2.csv with following fields: -
index, host, lastTime

I need to search the results from above SPL based on host and index in table2.csv and get the corresponding value of the column: lastTime. Thus, as the final resultset, I need: - index, host,  lastTime. 

Please help with your suggestions. 

Thank you

0 Karma

g_paternicola
Path Finder

Thanks a lot! it works :slightly_smiling_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...