Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search with parameters

sarit_s
Communicator
‎06-03-2020 07:12 AM

Hello,

I have this query:

index=prod eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| transaction maxpause=2s maxspan=2s maxevents=5
| eval Max_time=(duration + _time)
| eval Min_time=(_time)
| table _time,eventcount, eventtype ,Min_time, Max_time,tail_id,kafka_uuid
| foreach eventtype
    [eval flag_eventtype=if(eventcount!=5,"no", "yes")]

now i have a lookup table and i want to set parameters in my query that will be taken from the lookup table.
for example , instead of searching

eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"

i want to take the values of the eventtype from the lookup table

how can i do that ?

thanks

Labels (2)
Labels
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-03-2020 07:36 AM

@sarit_s

Try 

index=prod [ |inputlookup myLookup | table eventtype] | YOUR REST SEARCH
0 Karma
Reply

sarit_s
Communicator
‎06-03-2020 09:49 AM

Hey, thanks for your answer..
my lookup table has 10 different columns that calls UsedRule1...UsedRule10
eventtype should be each one of the UsedRole in the lookup

0 Karma
Reply

efika
Communicator
‎06-04-2020 12:21 AM

The end result of the subsearch should be a table with a column that is named "eventtype" and values that should be what you are searching for.
based on what you are describing you might need to transpose the results of the inputlookup

0 Karma
Reply

sarit_s
Communicator
‎06-04-2020 12:46 AM

im not sure i understood what you are saying...

this is how my table looks like :

AlertNameNonUnique AlertNameUnique AlertSevirityNonUnique AlertSevirityUnique UsedRule1 UsedRule10 UsedRule2 UsedRule3 UsedRule4 UsedRule5 UsedRule6 UsedRule7 UsedRule8 UsedRule9

how can i use this values as parameters in my query ?

0 Karma
Reply

efika
Communicator
‎06-04-2020 06:59 AM

Try this in the subsearch:
| inputlookup
| fields Used*
| transpose
| rename "row 1" as eventtype
| fields eventtype

0 Karma
Reply

sarit_s
Communicator
‎06-09-2020 02:35 PM

@efika
thanks, it is working but it is not allowed me to be dynamic.
what if my file will contain more than one row ?
also, not all the values in "row 1" are eventtypes.. how can i use the values from the file as arguments ?

0 Karma
Reply

efika
Communicator
‎06-03-2020 07:23 AM

Hi Sarit,

Do a subsearch, get all the lookup values into a Multi Value field (MV) and compare the eventtype in the outer search to this MV.

0 Karma
Reply

sarit_s
Communicator
‎06-03-2020 09:50 AM

hi, thanks for your answer...

i know the algorithm, i just don't know how to apply it

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...