Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search w/Inputlookup Subsearch Not Working

Kevin_S
Explorer
‎04-20-2021 03:13 AM

Hello Experts,

I am new to Splunk and trying to get a search query with subsearch to work. Here is what I have so far:

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "DOS CCD"
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

The above returns two results at runtime with "DOS CCD" as one or more of values in the data_sources field and i also have a "time" field (doesn't appear to be a reserved word) and a search_values field

I want to replace the second line of the main search with a subsearch using the below. The .csv lookup file has three columns of which I am returning "DataSource"

|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources

This runs fine and gets the value "DOS CCD" from the lookup file with no problem, but when I try and pass this result into the main search like this I get no results:

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
[|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

Any help would be greatly appreciated. Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2021 05:36 AM

No, you need to put it after the spath extract

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title

| search [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]

| table time data_sources search_values

 

View solution in original post

Reply
Solved! Jump to solution

Kevin_S
Explorer
‎04-20-2021 05:08 AM

Thanks! I tried moving the subsearch to after the field has been extracted - which I assume is after the "| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH" line?
No luck so far..
index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
[|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2021 05:36 AM

No, you need to put it after the spath extract

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title

| search [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]

| table time data_sources search_values

 

Reply
Solved! Jump to solution

Kevin_S
Explorer
‎04-20-2021 07:09 AM

Yes!!!! thanks so much. That worked!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2021 03:30 AM

At the time you are doing the inputlookup data_sources hasn't been extracted - when you put the inputlookup in square brackets that equates to data_sources="A" OR data_sources="B" etc i.e. name of field returned by sub-query with each of the values returned by the inputlookup. You colud try renaming DataSource to "resultParams.additionalContent{}.resources{}.title" (or something like that) but I am not sure it would work, or move the search to after the field has been extracted

Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...