Splunk Search

Pass value to subsearch with inputlookup

tdoSplunk
Path Finder

Hi,

perhaps it is the wrong approach, but i try to use an inputlookup within a search and pass a value to this subsearch.
It looks like this:

    index=myindex sourcetype=stype source=sourcename
    |eval SourceHost =[|inputlookup transfer_nodes.csv 
                       |search nodeId IN ($last_source_node_id$)
                       |fields name
                       |stats first(name) as SourceHost
                       |eval SourceHost="\"".SourceHost."\""
                       |return $SourceHost
                      ]
|eval DestinationHost =[|inputlookup transfer_nodes.csv 
                       |search nodeId IN ($last_dest_node_id$)
                       |fields name
                       |stats first(name) as DestinationHost
                       |eval DestinationHost="\"".DestinationHost."\""
                       |return $DestinationHost
                      ]
    |table name,SourceHost,DestinationHost

I get the following error: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

The problem is the passing of the value $last_source_node_id$ ($last_dest_node_id$)

I already tried to map the subsearch, then the passing works, but the result is not what i expected.

Finally I would like to use a macro like GetTransferNode($last_nodeId$)

Hope you have an idea how to solve it.

best regards and thank you in advance !

0 Karma

tdoSplunk
Path Finder

I solved it by a join...
First I thought it will be to slow, but it works fine

| join type=left nodeId 
   [ |inputlookup transfer_nodes.csv
   |rename name as DestinationHost]
...
0 Karma

to4kawa
Ultra Champion
    index=myindex sourcetype=stype source=sourcename
     |eval SourceHost =[|inputlookup transfer_nodes.csv 
                        |search nodeId=$last_source_node_id$
                        |fields name
                        |stats first(name) as SourceHost
                        |eval SourceHost="\"".SourceHost."\""
                        |return $SourceHost
                       ]
 |eval DestinationHost =[|inputlookup transfer_nodes.csv 
                        |search nodeId=$last_dest_node_id$
                        |fields name
                        |stats first(name) as DestinationHost
                        |eval DestinationHost="\"".DestinationHost."\""
                        |return $DestinationHost
                       ]
     |table name,SourceHost,DestinationHost

unnecessary IN operator. How about this?

0 Karma

tdoSplunk
Path Finder

this will not work. it is not possible to pass the token $last_dest_node_id$ to the subsearch

A map would be a possible solution like ...
|map [|inputlookup transfer_nodes.csv
|search nodeId=$last_source_node_id$]

but the table only contained the result of the subsearch, not the conbination of both searches

0 Karma

to4kawa
Ultra Champion
index=myindex sourcetype=stype source=sourcename
[|inputlookup append=t transfer_nodes.csv]
|search nodeId=$last_source_node_id$ OR nodeId=$last_dest_node_id$
| eval host_flag=case(node_id=$last_source_node_id$,"Source",node_id=$last_dest_node_id$,"Dest")
| stats values(eval(if(flag="Source",name,NULL))) as SourceHost values(eval(if(flag="Dest",name,NULL))) as DestHost by name 

I think, your result is like the result of this.

0 Karma

to4kawa
Ultra Champion

What's token value "$last_source_node_id$"?
like A, B ?

0 Karma

tdoSplunk
Path Finder

number like 1 or 2 or ...

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...