- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to filter lookup csv first
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am using splunk enterprise 9.0.5.1 since about a month and have been experimenting with a dashboard (studio) for application insights. I am now trying to get nfs info in my dashboard, because the nfs shares don't have logical names i have created a simple, small lookup csv with 2 fields app-name and nfs-name.
This is working fine :
index=summary type=isilon_nfs-quota-alert (path="*appsdata*")
| lookup apps-nfs.csv nfs-name as path output nfs-name as found, app-name as application
| where isnotnull(found)
| table path, found, application, quotait fetches all the nfs info from all the nfs'es in my apps-nfs.csv
But.... I don't want the entire list...
I want to use a filter in my apps-nfs.csv first on app-name and can't get that to work. Eventually i want to use the app-name token of my dashboard to filter but i can 't even get a simple search working. How do i filter app-name in the csv before fetching the nfs info, for instance with an IN list... app1, app2, app5, etc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found it! In my list there were no quotes around the values in my token and without quotes it doesn't work here.
the solution was |s$
| where IN('applicatie',$token_cfapp|s$)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found it! In my list there were no quotes around the values in my token and without quotes it doesn't work here.
the solution was |s$
| where IN('applicatie',$token_cfapp|s$)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. General remark - don't use wildcards at the beginning of your search term if you can avoid it. If you do that, Splunk has to search all events from the given timerange to verify if any events match this condition - it can't use its indexed database of terms. In your case the difference might be insignificant if the data sample is small but as a general rule it's good to know that because with a big search it can make a huge difference in performance.
2. I'm not sure what you want to achieve. If you want to return only the results which match particular field value from your lookup, you have to return it from the lookup and then filter results based on values of this field.
So if you want to filter your results to only return values for particular values of app-name column in your lookup (which you return from the lookup as the application field) you need to do
index=summary type=isilon_nfs-quota-alert (path="*appsdata*")
| lookup apps-nfs.csv nfs-name as path output nfs-name as found, app-name as application
| search application IN ("app1", "app2", [...])(you can also use the "where" command to filter your results instead of "search").
Index This | Forward, I’m heavy; backward, I’m not. What am I?
A Guide To Cloud Migration Success
Join Us for Splunk University and Get Your Bootcamp Game On!
