- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
How can I pass a static set of values to the query.
For example an array of computer names to a query that list all computers taking traffic and do a comparison with the static list to see which ones are not taking load.
Note: I specifically need to know how to pass a static set of values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi maniishpawar,
the easiest way to do this is to use a lookup containing your set of values and use it for filtering events.
In this way you can also easily manage this list using Lookup Editor App.
You have two ways to use this lookup:
- when you can use values in a field,
- when you use values to search without fields.
In the first case you can use something like this:
your_search [ | inputlookup your_lookup.csv | fields your_key_field ] | ...
In the second case you have to follow this method:
your_search [ | inputlookup your_lookup.csv | rename your_key_field AS query | fields query ] | ...
(remeber to use query as field name in subsearch!
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

if you're trying to avoid a lookup (after reading the answer by @cusello , though i believe that would work just fine), you could try to use a macro. add a macro in Settings>Advanced Search. it wouldn't need any arguments, just the definition. It would be something like:
computerName=x OR computerName=y OR computerName=z....
and in splunk 6.6 you could do computerName IN ("x","y","z"....)
and your search would be something like index=foo \
macro`` except minus the \
or you could create an event type/tag with the field values and then search for that in your search string.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi maniishpawar,
the easiest way to do this is to use a lookup containing your set of values and use it for filtering events.
In this way you can also easily manage this list using Lookup Editor App.
You have two ways to use this lookup:
- when you can use values in a field,
- when you use values to search without fields.
In the first case you can use something like this:
your_search [ | inputlookup your_lookup.csv | fields your_key_field ] | ...
In the second case you have to follow this method:
your_search [ | inputlookup your_lookup.csv | rename your_key_field AS query | fields query ] | ...
(remeber to use query as field name in subsearch!
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can we not do this without a lookup ?
using fields or eval or something else.
as I want to use this in alert and I am not sure if lookup will work for alert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi maniishpawar,
Why do you think that a lookup doesn't work for alert?
alert search is a normal search, if your search with lookup correctly works as search at the same way works as alert!
Lookups is the easiest way to manage static lists.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried to inputlookup and uploaded CSV file as well but now I am stuck as where to plug in the lookup.
This is my original query that I am trying to compare and find which servers stopped taking traffic.
how can I convert it.
index=something*prod sourcetype=iis
| stats last(index) as indx, values(source) by host
| rename host as hostname
|table indx,hostname
| dedup hostname
| join type=left max=0 hostname [ search index=something*prod sourcetype=iis earliest=-10m latest=now
| stats last(index) as indx,count by host
| rename host AS hostname | table indx, count, hostname ] | table _time, indx,hostname, count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried placing inputlook, but somehow the second query results which gets the count is not working.
|inputlookup file.csv|rename lookupservers AS hostname | fields hostname
| join type=left max=0 hostname [ search index=abc*prod sourcetype=iis earliest=-10m latest=now
| stats count by host
| rename host AS hostname | table count, hostname ] | table hostname, count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi maniishpawar,
in subsearches there is the limit of 50.000 occurrencies, so you have to build your search in a different way.
remeber that the lookup command is similar to a left join.
if you want to add some lookup field to your output, something like this:
index=abc*prod sourcetype=iis earliest=-10m latest=now
| lookup file.csv lookupservers AS host OUTPUT lookup_field
| stats values(lookup_field) AS lookup_field count by host
| rename host AS hostname
| table count hostname lookup_field
If instead you want to filter your events using your lookup try something like this:
index=abc*prod sourcetype=iis earliest=-10m latest=now
[ | inputlookup file.csv | rename lookupservers AS host | fields host ]
| stats count by host
| rename host AS hostname
| table count hostname lookup_field
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

There is no reason why lookup will not work for alerts. Make sure that your lookup has correct scope/permissions so that it can be referred in the alert search.
