Re: inputlookup and search results from data

Splunk_rocks · ‎06-12-2019

Hello Splunkers,

I have inputlooku test.csv and containing fields host region

I have indexed data under test index containing fields host location status area DC

So what i need take input from look up table field host and search with in indexed data for status .

I was trying below one but not sure this is correct .

index=test status="Down" [| inputlookup test.csv | fields host] | dedup host | table host status DC

any thing is fine either before filter or after filter goal is to just show the results for host which are in my list.

VatsalJagani · ‎06-13-2019

Your query looks correct, just one thing for you to keep in mind if you have very enormous amount of hosts in lookup your query may brake.

MuS · ‎06-12-2019

Hi Splunk_rocks,

try this:

index=test  status="Down"  [| inputlookup test.csv | fields host | format ] | dedup host | table host status DC

By using format the sub search will return a string like this (( host=x ) OR (host=y) OR (host=z)) which then in turn will be used in the search.

Hope this helps ...

cheers, MuS

inputlookup and search results from data