| input lookup return ALL rather than specify numb...

robf · ‎01-16-2015

I'm trying to add this to my search but the number of lookup users may change!!

(|inputlookup lotsofusers.csv | return 3 $users)

((user1) OR (user2) OR (user3))

Is there a better way to do this? * does not work.

Thanks

orion44 · ‎06-12-2019

It would be nice to know the answer to this question. Why do we have to specify a hardcoded value of records to return when using inputlookup? The logical thing to do is check all records.

somesoni2 · ‎01-16-2015

Give this a try

your base search  [|inputlookup lotsofusers.csv | eval search=users | table search]

aweitzman · ‎01-16-2015

If you're using it as a subsearch, you can use the fields command to reduce what gets returned without needing return. Try this:

[|inputlookup lotsofusers.csv | fields users]

You should get all of them.

robf · ‎01-16-2015

thanks but this gives

((user=user1) OR (user=user2) OR (user=user3))

i want to search keywords only

((user1) OR (user2) OR (user3))

with the return command you can use the $ symbol to achieve this

aweitzman · ‎01-16-2015

How about this:

[|inputlookup lotsofusers.csv | fields users | format | rex field=search mode=sed "s/user=//g"]

fdi01 · ‎01-16-2015

try as:
[|inputlookup lotsofusers.csv | return 3 $users]

robf · ‎01-16-2015

i dont think you understood the question... i don't want to specify how many users. it could be 3 , 300, 3333...

| input lookup return ALL rather than specify number

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)