Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

combine two pieces of code

xiangtaner
Path Finder
‎04-21-2016 07:35 AM

Hi,

I have two pieces of codes executed in orders. The first piece generates a lookup table by "|outputlookup test.csv", then the second piece uses the lookup table generated by calling "|inputlookup test.csv". Can I combine them into ONE piece of code?

search1
| outputlookup test.csv

search2
[ inputlookup test.csv | fields IP]
| ....

Thanks and Regards,

xiangtaner

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-21-2016 07:44 AM

There's probably an easy and cleaner way to do this but we would need to know exactly what you are trying to achieve and what search1 and search2 are.

If all you are looking for is a quick answer, try the following with appendcols:

search1
| outputlookup test.csv
| fields - *
| appendcols [ |inputlookup test.csv | fields IP]

EDIT to include answer below:

Would it not be easier in that case and probably more efficient to maintain a scheduled job populating your test.csv file every 15 or 30 minutes and then simply doing the following when you want to apply the IP filtering:

 your search here
 | lookup my_ip_filter_based_on_test_csv IP

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-21-2016 07:44 AM

There's probably an easy and cleaner way to do this but we would need to know exactly what you are trying to achieve and what search1 and search2 are.

If all you are looking for is a quick answer, try the following with appendcols:

search1
| outputlookup test.csv
| fields - *
| appendcols [ |inputlookup test.csv | fields IP]

EDIT to include answer below:

Would it not be easier in that case and probably more efficient to maintain a scheduled job populating your test.csv file every 15 or 30 minutes and then simply doing the following when you want to apply the IP filtering:

 your search here
 | lookup my_ip_filter_based_on_test_csv IP
0 Karma
Reply
Solved! Jump to solution

xiangtaner
Path Finder
‎04-21-2016 11:31 AM

Thanks javiergn for the inputs and sorry that I didn't specify the detailed usage of the lookup table test.csv generated from the first step. The test.csv stores a list of IPs for further exploration. Then in the second step, from a very big source I would like to use the test.csv to filter out all irrelevant IPs by excluding them if they are not present in test.csv.

Thanks!

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-22-2016 03:11 AM

In summary, you want to filter out and only display those present in test.csv correct?
Would it not be easier in that case and probably more efficient to maintain a scheduled job populating your test.csv file every 15 or 30 minutes and then simply doing the following when you want to apply the IP filtering:

your search here
| lookup my_ip_filter_based_on_test_csv IP

If you still want to run everything in one search then my previous answer is probably good enough.

Hope that helps

Reply
Solved! Jump to solution

xiangtaner
Path Finder
‎04-22-2016 01:09 PM

Thanks javiergn, yes, this seems to be the right direction to maintain a scheduled job populating the lookup table.

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-22-2016 01:40 PM

No worries. If you found the answer useful please remember to mark it / vote it so that others can benefit from it.

Thanks,
J

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top