Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search w/Inputlookup Subsearch Not Working

Kevin_S
Explorer
‎04-20-2021 03:13 AM

Hello Experts,

I am new to Splunk and trying to get a search query with subsearch to work. Here is what I have so far:

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "DOS CCD"
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

The above returns two results at runtime with "DOS CCD" as one or more of values in the data_sources field and i also have a "time" field (doesn't appear to be a reserved word) and a search_values field

I want to replace the second line of the main search with a subsearch using the below. The .csv lookup file has three columns of which I am returning "DataSource"

|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources

This runs fine and gets the value "DOS CCD" from the lookup file with no problem, but when I try and pass this result into the main search like this I get no results:

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
[|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

Any help would be greatly appreciated. Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2021 05:36 AM

No, you need to put it after the spath extract

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title

| search [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]

| table time data_sources search_values

 

View solution in original post

Reply
Solved! Jump to solution

Kevin_S
Explorer
‎04-20-2021 05:08 AM

Thanks! I tried moving the subsearch to after the field has been extracted - which I assume is after the "| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH" line?
No luck so far..
index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
[|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title
| table time data_sources search_values

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2021 05:36 AM

No, you need to put it after the spath extract

index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json
| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH
| spath output=search_values path=requestParams.primaryInputs{0}.values{0}
| spath output=data_sources path=resultParams.additionalContent{}.resources{}.title

| search [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv
|rename DataSource as data_sources
|table data_sources]

| table time data_sources search_values

 

Reply
Solved! Jump to solution

Kevin_S
Explorer
‎04-20-2021 07:09 AM

Yes!!!! thanks so much. That worked!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2021 03:30 AM

At the time you are doing the inputlookup data_sources hasn't been extracted - when you put the inputlookup in square brackets that equates to data_sources="A" OR data_sources="B" etc i.e. name of field returned by sub-query with each of the values returned by the inputlookup. You colud try renaming DataSource to "resultParams.additionalContent{}.resources{}.title" (or something like that) but I am not sure it would work, or move the search to after the field has been extracted

Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...