Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using Lookup Table
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alan20854
Path Finder
06-23-2016
06:53 AM
Hi,
I am using a lookup table to populate 3 dropdown menus: Source, Service, and Method, where each selection of the previous dropdown creates the set of options for the next dropdown.
However, in the dropdown options for Service and Method, I am using a word description of the service/method code, e.g. Vendor Web Service in lieu of VNDR_WS. In my .csv file, the first three columns are source, service, and then method, and then I have two more columns with the corresponding serviceCode and methodCode.
How do I incorporate the last two columns into my search query? I would just like to search for something like serviceCode = $serviceCode$ methodCode=$methodCode$
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-23-2016
07:16 AM
Use like this
dropdown service
<search>
<query>| inputlookup Lookup.csv | search source="$source1$" | stats count by service serviceCode | table service serviceCode</query>
</search>
<fieldForLabel>service</fieldForLabel>
<fieldForValue>serviceCode</fieldForValue>
dropdown method
<search>
<query>| inputlookup Lookup.csv | search (source = "$source1$" AND serviceCode = "$service1$")| stats count by method methodCode| table method methodCode</query>
<earliest>0</earliest>
</search>
<fieldForLabel>method</fieldForLabel>
<fieldForValue>methodCode</fieldForValue>
Panel Search
| inputlookup Lookup.csv | $serviceCode$ = search (source = "$source1$" AND serviceCode = "$service1$" AND methodCode = "$method1$") |sort -_time | head 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snoobzilla
Builder
06-23-2016
07:23 AM
Perfect used case for label/value functionality... I partially changed below. Basically you need to carry changes into your search.
<input type="dropdown" token="source1" searchWhenChanged="true">
<label>Source</label>
<search>
<query>| inputlookup Lookup.csv | stats count by source | table source</query>
</search>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
</input>
<input type="dropdown" token="service1" searchWhenChanged="true">
<label>Service</label>
<search>
<query>| inputlookup Lookup.csv | search source="$source1$" | stats count by service | table service ServiceCode</query>
</search>
<fieldForLabel>service</fieldForLabel>
<fieldForValue>ServiceCode</fieldForValue>
</input>
<input type="dropdown" token="method1" searchWhenChanged="true">
<label>Method/Operation</label>
<search>
<query>| inputlookup Lookup.csv | search (source = "$source1$" AND service = "$service1$")| stats count by method | table method MethodCode</query>
<earliest>0</earliest>
</search>
<fieldForLabel>method</fieldForLabel>
<fieldForValue>MethodCode</fieldForValue>
</input>
<input type="time" token="time" searchWhenChanged="true">
<label>Last Transaction Time</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<panel>
<event>
<title>Most Recent Event</title>
<search>
<query>| inputlookup Lookup.csv | $serviceCode$ = search (source = "$source1$" AND service = "$service1$" AND method = "$method1$") |sort -_time | head 1
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fields>["host","source","sourcetype"]</fields>
</event>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-23-2016
07:16 AM
Use like this
dropdown service
<search>
<query>| inputlookup Lookup.csv | search source="$source1$" | stats count by service serviceCode | table service serviceCode</query>
</search>
<fieldForLabel>service</fieldForLabel>
<fieldForValue>serviceCode</fieldForValue>
dropdown method
<search>
<query>| inputlookup Lookup.csv | search (source = "$source1$" AND serviceCode = "$service1$")| stats count by method methodCode| table method methodCode</query>
<earliest>0</earliest>
</search>
<fieldForLabel>method</fieldForLabel>
<fieldForValue>methodCode</fieldForValue>
Panel Search
| inputlookup Lookup.csv | $serviceCode$ = search (source = "$source1$" AND serviceCode = "$service1$" AND methodCode = "$method1$") |sort -_time | head 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alan20854
Path Finder
06-23-2016
07:49 AM
Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snoobzilla
Builder
06-23-2016
07:25 AM
Yeah, what he said.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alan20854
Path Finder
06-23-2016
06:53 AM
Here is my XML:
<input type="dropdown" token="source1" searchWhenChanged="true">
<label>Source</label>
<search>
<query>| inputlookup Lookup.csv | stats count by source | table source</query>
</search>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
</input>
<input type="dropdown" token="service1" searchWhenChanged="true">
<label>Service</label>
<search>
<query>| inputlookup Lookup.csv | search source="$source1$" | stats count by service | table service</query>
</search>
<fieldForLabel>service</fieldForLabel>
<fieldForValue>service</fieldForValue>
</input>
<input type="dropdown" token="method1" searchWhenChanged="true">
<label>Method/Operation</label>
<search>
<query>| inputlookup Lookup.csv | search (source = "$source1$" AND service = "$service1$")| stats count by method | table method</query>
<earliest>0</earliest>
</search>
<fieldForLabel>method</fieldForLabel>
<fieldForValue>method</fieldForValue>
</input>
<input type="time" token="time" searchWhenChanged="true">
<label>Last Transaction Time</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<panel>
<event>
<title>Most Recent Event</title>
<search>
<query>| inputlookup Lookup.csv | $serviceCode$ = search (source = "$source1$" AND service = "$service1$" AND method = "$method1$") |sort -_time | head 1
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fields>["host","source","sourcetype"]</fields>
</event>
</panel>
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
