Splunk Search

inputlookup in a map search

Explorer

Hi splunk fellows,

Struggling a bit with the map command I never used before :

| inputlookup myfile1.csv
| append
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C"
| table site_code
--> until here everything looks fine
| map search="|inputlookup myfile1.csv | where site_code=$site_code$"

don't try too much to make sense out of it as I simplified the query but basically I'm filtering out events to get the ones I'm interested in and I create a table containing my site_code values. So far so good. Now I would like to use these values to select some specific entries in my lookup table with the map command but I'm not getting any results. It seems the $site_code$ variable is not filled in properly.

Any advice ?

Thank you

0 Karma
1 Solution

Champion

You would need to put $site_code$ in quotes, like this:

| inputlookup myfile1.csv 
| append 
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C" 
| table site_code 
| map [|inputlookup myfile1.csv | where site_code="$site_code$"]

I changed search="..." to [...] to make this easier to read.

You could combine the where with the inputlookup, as well:

| inputlookup myfile1.csv 
| append 
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C" 
| table site_code 
| map [|inputlookup myfile1.csv where site_code=$site_code$]

Note that this version doesn't require double quotes around $site_code$. This is because the where clause of inputlookup assumes the right hand side will be a value, whereas the where command allows you to pass field names on the right hand side, or values if in quotes. So your | where thought you were saying | where <fieldA>=<fieldB> instead of |where <fieldA>=<valueB>.

View solution in original post

SplunkTrust
SplunkTrust

can you try

| inputlookup myfile1.csv 
| append 
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C" 
| table site_code 
--> until here everything looks fine
| map search="|inputlookup myfile1.csv | where site_code=\"$site_code$\"" 

let me know if this works!

Explorer

This is working, many thanks for this. Actually my aim is to compare 2 lookup tables to find the list of site_codes I'm interested in. Then, based on this list, I need to modify some entries having the same site_code in the first lookup table.

Sorry for not having accepted your answer, I thought it was possible to accept several answers but apparently it is not. Thank you anyway for your help.

0 Karma

Champion

You would need to put $site_code$ in quotes, like this:

| inputlookup myfile1.csv 
| append 
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C" 
| table site_code 
| map [|inputlookup myfile1.csv | where site_code="$site_code$"]

I changed search="..." to [...] to make this easier to read.

You could combine the where with the inputlookup, as well:

| inputlookup myfile1.csv 
| append 
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C" 
| table site_code 
| map [|inputlookup myfile1.csv where site_code=$site_code$]

Note that this version doesn't require double quotes around $site_code$. This is because the where clause of inputlookup assumes the right hand side will be a value, whereas the where command allows you to pass field names on the right hand side, or values if in quotes. So your | where thought you were saying | where <fieldA>=<fieldB> instead of |where <fieldA>=<valueB>.

View solution in original post

Champion

I had a typo in my searches. where I had search=[. When you use [ to define your map search instead of " you don't also include the search= component.

Explorer

This one is working too. thanks for the explanation

0 Karma

Champion

Despite your assertion that we shouldn't "try too much to make sense out of it", I'm going to ask that you provide some basic details regarding what the data looks like and what you want to accomplish. The reason for this is map is a bad idea in most cases. I think you'd be better served trying to find a better search, rather than troubleshooting this one.

That said, academic exercises (ie solving this one even though you may not use the answer) are still great teachers.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!