Hello Experts,
I am new to Splunk and trying to get a search query with subsearch to work. Here is what I have so far:
index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "DOS CCD"
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values
The above returns two results at runtime with "DOS CCD" as one or more of values in the data_sources field and i also have a "time" field (doesn't appear to be a reserved word) and a search_values field
I want to replace the second line of the main search with a subsearch using the below. The .csv lookup file has three columns of which I am returning "DataSource"
|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources
This runs fine and gets the value "DOS CCD" from the lookup file with no problem, but when I try and pass this result into the main search like this I get no results:
index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
[|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values
Any help would be greatly appreciated. Thanks!
No, you need to put it after the spath extract
index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| search [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| table time data_sources search_values
Thanks! I tried moving the subsearch to after the field has been extracted - which I assume is after the "| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH" line?
No luck so far..
index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
[|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values
No, you need to put it after the spath extract
index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| search [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| table time data_sources search_values
At the time you are doing the inputlookup data_sources hasn't been extracted - when you put the inputlookup in square brackets that equates to data_sources="A" OR data_sources="B" etc i.e. name of field returned by sub-query with each of the values returned by the inputlookup. You colud try renaming DataSource to "resultParams.additionalContent{}.resources{}.title" (or something like that) but I am not sure it would work, or move the search to after the field has been extracted