Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

search with parameters

sarit_s
Communicator
‎06-03-2020 07:12 AM

Hello,

I have this query:

index=prod eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| transaction maxpause=2s maxspan=2s maxevents=5
| eval Max_time=(duration + _time)
| eval Min_time=(_time)
| table _time,eventcount, eventtype ,Min_time, Max_time,tail_id,kafka_uuid
| foreach eventtype
    [eval flag_eventtype=if(eventcount!=5,"no", "yes")]

now i have a lookup table and i want to set parameters in my query that will be taken from the lookup table.
for example , instead of searching

eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"

i want to take the values of the eventtype from the lookup table

how can i do that ?

thanks

Labels (2)
Labels
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-03-2020 07:36 AM

@sarit_s

Try 

index=prod [ |inputlookup myLookup | table eventtype] | YOUR REST SEARCH
0 Karma
Reply

sarit_s
Communicator
‎06-03-2020 09:49 AM

Hey, thanks for your answer..
my lookup table has 10 different columns that calls UsedRule1...UsedRule10
eventtype should be each one of the UsedRole in the lookup

0 Karma
Reply

efika
Communicator
‎06-04-2020 12:21 AM

The end result of the subsearch should be a table with a column that is named "eventtype" and values that should be what you are searching for.
based on what you are describing you might need to transpose the results of the inputlookup

0 Karma
Reply

sarit_s
Communicator
‎06-04-2020 12:46 AM

im not sure i understood what you are saying...

this is how my table looks like :

AlertNameNonUnique AlertNameUnique AlertSevirityNonUnique AlertSevirityUnique UsedRule1 UsedRule10 UsedRule2 UsedRule3 UsedRule4 UsedRule5 UsedRule6 UsedRule7 UsedRule8 UsedRule9

how can i use this values as parameters in my query ?

0 Karma
Reply

efika
Communicator
‎06-04-2020 06:59 AM

Try this in the subsearch:
| inputlookup
| fields Used*
| transpose
| rename "row 1" as eventtype
| fields eventtype

0 Karma
Reply

sarit_s
Communicator
‎06-09-2020 02:35 PM

@efika
thanks, it is working but it is not allowed me to be dynamic.
what if my file will contain more than one row ?
also, not all the values in "row 1" are eventtypes.. how can i use the values from the file as arguments ?

0 Karma
Reply

efika
Communicator
‎06-03-2020 07:23 AM

Hi Sarit,

Do a subsearch, get all the lookup values into a Multi Value field (MV) and compare the eventtype in the outer search to this MV.

0 Karma
Reply

sarit_s
Communicator
‎06-03-2020 09:50 AM

hi, thanks for your answer...

i know the algorithm, i just don't know how to apply it

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...