Solved: inputlookup - Is it possible to pass lookup table ...

rolaso · ‎07-29-2014

Hi everyone,

I am trying to find a way count the lines inside a lookup table and pass it to the return command.

For example:

I am currently using:
index=index_foo [|inputlookup lookup_table_name | return 479 $field1 ]

This works fine, but its a maintenance nightmare as the table changes size often. I wrote the following to try to have the subsearch count the rows and return them all:

index=index_foo [|inputlookup lookup_table_name | stats count | return count $field1 ]

unfortunately, that returns count="479"

Is there a way to accomplish what I am trying to do?

Thanks!

martin_mueller · ‎07-30-2014

You can avoid return and hence the need to specify a number entirely by using the magic field name query like this:

index=foo [inputlookup lookup_table_name | rename field1 as query | fields query]

That subsearch will evaluate to ( (v1) OR (v2) OR ... (vn) ) rather than ( (key=v1) OR (key=v2) OR ... (key=vn) )

View solution in original post

martin_mueller · ‎07-30-2014

You can avoid return and hence the need to specify a number entirely by using the magic field name query like this:

index=foo [inputlookup lookup_table_name | rename field1 as query | fields query]

That subsearch will evaluate to ( (v1) OR (v2) OR ... (vn) ) rather than ( (key=v1) OR (key=v2) OR ... (key=vn) )

rolaso · ‎07-30-2014

This solution worked perfectly. Many thanks!

inputlookup - Is it possible to pass lookup table size to return command?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)