Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search w/Inputlookup Subsearch Not Working

Kevin_S
Explorer
‎04-20-2021 03:13 AM

Hello Experts,

I am new to Splunk and trying to get a search query with subsearch to work. Here is what I have so far:

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "DOS CCD"
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

The above returns two results at runtime with "DOS CCD" as one or more of values in the data_sources field and i also have a "time" field (doesn't appear to be a reserved word) and a search_values field

I want to replace the second line of the main search with a subsearch using the below. The .csv lookup file has three columns of which I am returning "DataSource"

|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources

This runs fine and gets the value "DOS CCD" from the lookup file with no problem, but when I try and pass this result into the main search like this I get no results:

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
[|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

Any help would be greatly appreciated. Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2021 05:36 AM

No, you need to put it after the spath extract

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title

| search [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]

| table time data_sources search_values

 

View solution in original post

Reply
Solved! Jump to solution

Kevin_S
Explorer
‎04-20-2021 05:08 AM

Thanks! I tried moving the subsearch to after the field has been extracted - which I assume is after the "| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH" line?
No luck so far..
index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
[|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2021 05:36 AM

No, you need to put it after the spath extract

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title

| search [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]

| table time data_sources search_values

 

Reply
Solved! Jump to solution

Kevin_S
Explorer
‎04-20-2021 07:09 AM

Yes!!!! thanks so much. That worked!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2021 03:30 AM

At the time you are doing the inputlookup data_sources hasn't been extracted - when you put the inputlookup in square brackets that equates to data_sources="A" OR data_sources="B" etc i.e. name of field returned by sub-query with each of the values returned by the inputlookup. You colud try renaming DataSource to "resultParams.additionalContent{}.resources{}.title" (or something like that) but I am not sure it would work, or move the search to after the field has been extracted

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...