Solved: Re: Search if a field is in the results of a subse...

OldManEd · ‎03-20-2018

I have a search that starts out like this;

index=my_index field1=abc field2=def 
   (       field3=aaa
    OR  field3=bbb
    OR  field3=ccc
    OR  field3=ddd
    OR  field3=eee
    OR  field3=fff)

Because there is a lot of data associated with field3, and it changed a lot, I was wondering if there was a technique I could use that uses a subsearch into a lookup table? I was thinking of altering the search to something like this;

 index=my_index field1=abc field2=def 
   field3 =  search [ | inputlookup <filename.csv> | fields <my_field3>]

But I'm not sure about the format of that second search.

I tried looking in the documentation but couldn't find anything. Any help would be appreciated.

~Ed

tiagofbmm · ‎03-20-2018

Hey
Yes you can take advantage of the return function,

index=my_index field1=abc field2=def  [ search  | inputlookup <filename.csv> | fields <my_field3> | return 100 field3]

That gives an ORed list of your field3 values and passes them properly to the primary search

View solution in original post

tiagofbmm · ‎03-20-2018

Hey
Yes you can take advantage of the return function,

index=my_index field1=abc field2=def  [ search  | inputlookup <filename.csv> | fields <my_field3> | return 100 field3]

That gives an ORed list of your field3 values and passes them properly to the primary search

OldManEd · ‎03-21-2018

tiagofbmm,
This is great. Thanks for your quick reply. But I do have 2 questions.

The value '100' in the return command is there to make sure all the data in the "my_fields" column of the file are returned. I went through the documentation and this seems correct. The default looks to be 1. My part is to make sure the 100 is large enough to return everything in that column.
Using your search above;

[ search | inputlookup | fields | return 100 field3]

will map all the results in 'OR' format to the field3 attribute automatically? I do not need to write something like this;

   field3 = [ search  | inputlookup <filename.csv> | fields <my_field3> | return 100 field3]

I was a little confused on this one.

Again, thanks for your help.
~Ed

tiagofbmm · ‎03-21-2018

@OldManEd

1 - The value 100 in the return command is to specify how many lines do you want of values of the specified field. As I have no idea how many you have, it is better to specify a high value to make sure all the values you want are included. So you're correct, default is to 1 and this needs to be adjusted to the size of everything in the column

2 - Return command returns an OR format automatically indeed. You don't need, actually you mustn't use the formata you mentioned there. The format I gave you is exactly what the syntax and logic requires. Test for yourself the subsearch I gave you and see what it is passing to the primary search.

Please @OldManEd if you think this answer is correct, upvote it and accept it

OldManEd · ‎03-21-2018

tiagofbmm,
Thank you again for your reply. I am testing now and everything seems to be working as advertised. I just wanted to verify everything before I started to change anything on my instance. We do not have a test environment so I just wanted to make sure I understood what I was doing.
~Ed

tiagofbmm · ‎03-21-2018

You should at least have instance in your laptop to test these kinds of code. That;s how I am answering your questions, and for your own safety you should do the same 😉

Search if a field is in the results of a subsearch

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!