Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

inputlookup - Is it possible to pass lookup table size to return command?

rolaso
Explorer
‎07-29-2014 08:12 PM

Hi everyone,

I am trying to find a way count the lines inside a lookup table and pass it to the return command.

For example:

I am currently using:
index=index_foo [|inputlookup lookup_table_name | return 479 $field1 ]

This works fine, but its a maintenance nightmare as the table changes size often. I wrote the following to try to have the subsearch count the rows and return them all:

index=index_foo [|inputlookup lookup_table_name | stats count | return count $field1 ]

unfortunately, that returns count="479"

Is there a way to accomplish what I am trying to do?

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-30-2014 01:00 AM

You can avoid return and hence the need to specify a number entirely by using the magic field name query like this:

index=foo [inputlookup lookup_table_name | rename field1 as query | fields query]

That subsearch will evaluate to ( (v1) OR (v2) OR ... (vn) ) rather than ( (key=v1) OR (key=v2) OR ... (key=vn) )

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-30-2014 01:00 AM

You can avoid return and hence the need to specify a number entirely by using the magic field name query like this:

index=foo [inputlookup lookup_table_name | rename field1 as query | fields query]

That subsearch will evaluate to ( (v1) OR (v2) OR ... (vn) ) rather than ( (key=v1) OR (key=v2) OR ... (key=vn) )

Reply
Solved! Jump to solution

rolaso
Explorer
‎07-30-2014 04:53 AM

This solution worked perfectly. Many thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...