Splunk Search

What is the fastest way to use a lookup (or match records against a secondary source)?

loganramirez
Path Finder

I have index with json data that represents call data (phone calls), but there is nothing native in the index that represents lists.

Assume, for example, I have a list called "Splunk Legends" and it represents 10 numbers.

Currently if I want to 'count all calls last 30d from Splunk Legends, then I do

 

 

index=mydata 
| stats value(*) by guid -- because I'm joining some other interesting information in this index
| lookup mylookup.csv number OUTPUT list
| search list="Splunk Legends"

 

 


What I dislike about this, of course, is I have to search the entire index.

Thoughts on a better way to match value against an external data source?

Thank you!

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try incorporating the lookup into the base search.

index=mydata [ | inputlookup mylookup.csv where list="Splunk Legends" | fields number | format ]
| stats value(*) by guid -- because I'm joining some other interesting information in this index
...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Try incorporating the lookup into the base search.

index=mydata [ | inputlookup mylookup.csv where list="Splunk Legends" | fields number | format ]
| stats value(*) by guid -- because I'm joining some other interesting information in this index
...
---
If this reply helps you, Karma would be appreciated.

loganramirez
Path Finder

thoughts on the 10k limit using sub searches like this?  just ran into that.

 

0 Karma

loganramirez
Path Finder

Legend.  Thank you!

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...