Splunk Search

Search w/Inputlookup Subsearch Not Working

Kevin_S
Explorer

Hello Experts,

I am new to Splunk and trying to get a search query with subsearch to work. Here is what I have so far:

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "DOS CCD"
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

The above returns two results at runtime with "DOS CCD" as one or more of values in the data_sources field and i also have a "time" field (doesn't appear to be a reserved word) and a search_values field

I want to replace the second line of the main search with a subsearch using the below. The .csv lookup file has three columns of which I am returning "DataSource"

|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources

This runs fine and gets the value "DOS CCD" from the lookup file with no problem, but when I try and pass this result into the main search like this I get no results:

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
[|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

Any help would be greatly appreciated. Thanks!

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

No, you need to put it after the spath extract

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title

| search [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]

| table time data_sources search_values

 

View solution in original post

Kevin_S
Explorer

Thanks! I tried moving the subsearch to after the field has been extracted - which I assume is after the "| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH" line?
No luck so far..
index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
[|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

No, you need to put it after the spath extract

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title

| search [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]

| table time data_sources search_values

 

Kevin_S
Explorer

Yes!!!! thanks so much. That worked!

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

At the time you are doing the inputlookup data_sources hasn't been extracted - when you put the inputlookup in square brackets that equates to data_sources="A" OR data_sources="B" etc i.e. name of field returned by sub-query with each of the values returned by the inputlookup. You colud try renaming DataSource to "resultParams.additionalContent{}.resources{}.title" (or something like that) but I am not sure it would work, or move the search to after the field has been extracted

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...