Splunk Search

search with parameters

sarit_s
Communicator

Hello,

I have this query:

index=prod eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| transaction maxpause=2s maxspan=2s maxevents=5
| eval Max_time=(duration + _time)
| eval Min_time=(_time)
| table _time,eventcount, eventtype ,Min_time, Max_time,tail_id,kafka_uuid
| foreach eventtype
    [eval flag_eventtype=if(eventcount!=5,"no", "yes")]

now i have a lookup table and i want to set parameters in my query that will be taken from the lookup table.
for example , instead of searching

eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"

i want to take the values of the eventtype from the lookup table

how can i do that ?

thanks

Labels (2)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@sarit_s

Try

index=prod [ |inputlookup myLookup | table eventtype] | YOUR REST SEARCH
0 Karma

sarit_s
Communicator

Hey, thanks for your answer..
my lookup table has 10 different columns that calls UsedRule1...UsedRule10
eventtype should be each one of the UsedRole in the lookup

0 Karma

efika
Communicator

The end result of the subsearch should be a table with a column that is named "eventtype" and values that should be what you are searching for.
based on what you are describing you might need to transpose the results of the inputlookup

0 Karma

sarit_s
Communicator

im not sure i understood what you are saying...

this is how my table looks like :

AlertNameNonUnique AlertNameUnique AlertSevirityNonUnique AlertSevirityUnique UsedRule1 UsedRule10 UsedRule2 UsedRule3 UsedRule4 UsedRule5 UsedRule6 UsedRule7 UsedRule8 UsedRule9

how can i use this values as parameters in my query ?

0 Karma

efika
Communicator

Try this in the subsearch:
| inputlookup
| fields Used*
| transpose
| rename "row 1" as eventtype
| fields eventtype

0 Karma

sarit_s
Communicator

@efika
thanks, it is working but it is not allowed me to be dynamic.
what if my file will contain more than one row ?
also, not all the values in "row 1" are eventtypes.. how can i use the values from the file as arguments ?

0 Karma

efika
Communicator

Hi Sarit,

Do a subsearch, get all the lookup values into a Multi Value field (MV) and compare the eventtype in the outer search to this MV.

0 Karma

sarit_s
Communicator

hi, thanks for your answer...

i know the algorithm, i just don't know how to apply it

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...