×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Kevin_S
Explorer
Member since: ‎04-20-2021
‎04-20-2021
Community Statistics
Posts 3
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎04-20-2021
Activity Feed
View All

Re: Search w/Inputlookup Subsearch Not Working

by in Splunk Search
‎04-20-2021 07:09 AM
‎04-20-2021 07:09 AM
Yes!!!! thanks so much. That worked! ... View more

Re: Search w/Inputlookup Subsearch Not Working

by in Splunk Search
‎04-20-2021 05:08 AM
‎04-20-2021 05:08 AM
Thanks! I tried moving the subsearch to after the field has been extracted - which I assume is after the "| search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH" line? No luck so far.. index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv |rename DataSource as data_sources |table data_sources] | search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH | spath output=search_values path=requestParams.primaryInputs{0}.values{0} | spath output=data_sources path=resultParams.additionalContent{}.resources{}.title | table time data_sources search_values ... View more

Search w/Inputlookup Subsearch Not Working

by in Splunk Search
‎04-20-2021 03:13 AM
‎04-20-2021 03:13 AM
Hello Experts, I am new to Splunk and trying to get a search query with subsearch to work. Here is what I have so far: index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json | search "DOS CCD" | search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH | spath output=search_values path=requestParams.primaryInputs{0}.values{0} | spath output=data_sources path=resultParams.additionalContent{}.resources{}.title | table time data_sources search_values The above returns two results at runtime with "DOS CCD" as one or more of values in the data_sources field and i also have a "time" field (doesn't appear to be a reserved word) and a search_values field I want to replace the second line of the main search with a subsearch using the below. The .csv lookup file has three columns of which I am returning "DataSource" |inputlookup Palantir_T3_Collection_Lookup_JSON.csv |rename DataSource as data_sources |table data_sources This runs fine and gets the value "DOS CCD" from the lookup file with no problem, but when I try and pass this result into the main search like this I get no results: index=palantir_audit host="merlin.palantir.abc.ncc" sourcetype=_json [|inputlookup Palantir_T3_Collection_Lookup_JSON.csv |rename DataSource as data_sources |table data_sources] | search "requestParams.primaryInputs{}.type"=SEARCH_TERMS name=SEARCH | spath output=search_values path=requestParams.primaryInputs{0}.values{0} | spath output=data_sources path=resultParams.additionalContent{}.resources{}.title | table time data_sources search_values Any help would be greatly appreciated. Thanks! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-20-2021 11:46 AM
Karma given to
View All