Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

combine two pieces of code

xiangtaner
Path Finder
‎04-21-2016 07:35 AM

Hi,

I have two pieces of codes executed in orders. The first piece generates a lookup table by "|outputlookup test.csv", then the second piece uses the lookup table generated by calling "|inputlookup test.csv". Can I combine them into ONE piece of code?

search1
| outputlookup test.csv

search2
[ inputlookup test.csv | fields IP]
| ....

Thanks and Regards,

xiangtaner

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-21-2016 07:44 AM

There's probably an easy and cleaner way to do this but we would need to know exactly what you are trying to achieve and what search1 and search2 are.

If all you are looking for is a quick answer, try the following with appendcols:

search1
| outputlookup test.csv
| fields - *
| appendcols [ |inputlookup test.csv | fields IP]

EDIT to include answer below:

Would it not be easier in that case and probably more efficient to maintain a scheduled job populating your test.csv file every 15 or 30 minutes and then simply doing the following when you want to apply the IP filtering:

 your search here
 | lookup my_ip_filter_based_on_test_csv IP

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-21-2016 07:44 AM

There's probably an easy and cleaner way to do this but we would need to know exactly what you are trying to achieve and what search1 and search2 are.

If all you are looking for is a quick answer, try the following with appendcols:

search1
| outputlookup test.csv
| fields - *
| appendcols [ |inputlookup test.csv | fields IP]

EDIT to include answer below:

Would it not be easier in that case and probably more efficient to maintain a scheduled job populating your test.csv file every 15 or 30 minutes and then simply doing the following when you want to apply the IP filtering:

 your search here
 | lookup my_ip_filter_based_on_test_csv IP
0 Karma
Reply
Solved! Jump to solution

xiangtaner
Path Finder
‎04-21-2016 11:31 AM

Thanks javiergn for the inputs and sorry that I didn't specify the detailed usage of the lookup table test.csv generated from the first step. The test.csv stores a list of IPs for further exploration. Then in the second step, from a very big source I would like to use the test.csv to filter out all irrelevant IPs by excluding them if they are not present in test.csv.

Thanks!

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-22-2016 03:11 AM

In summary, you want to filter out and only display those present in test.csv correct?
Would it not be easier in that case and probably more efficient to maintain a scheduled job populating your test.csv file every 15 or 30 minutes and then simply doing the following when you want to apply the IP filtering:

your search here
| lookup my_ip_filter_based_on_test_csv IP

If you still want to run everything in one search then my previous answer is probably good enough.

Hope that helps

Reply
Solved! Jump to solution

xiangtaner
Path Finder
‎04-22-2016 01:09 PM

Thanks javiergn, yes, this seems to be the right direction to maintain a scheduled job populating the lookup table.

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-22-2016 01:40 PM

No worries. If you found the answer useful please remember to mark it / vote it so that others can benefit from it.

Thanks,
J

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...