cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
SubtotalAMG
Loves-to-Learn Lots
Member since: ‎06-02-2023
‎08-18-2023
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-02-2023
Activity Feed
View All

Re: Inputlookup, Return command <$Field> and <Fiel...

by in Splunk Search
‎06-08-2023 03:57 PM
‎06-08-2023 03:57 PM
Compiler view helped me understand the problem and the alternative solution worked as well thank you! ... View more

Re: Inputlookup, Return command <$Field> and <Fiel...

by in Splunk Search
‎06-08-2023 03:56 PM
‎06-08-2023 03:56 PM
You're alternative solution worked thank you! ... View more

Inputlookup, Return command <$Field> and <Field> c...

by in Splunk Search
‎06-07-2023 07:09 PM
‎06-07-2023 07:09 PM
Hey All,  So I'm relatively new to Splunk. I have a csv file that has multiple computers and I've created a dashboard trying to get reports based on the parameters the user chooses. The search by itself is fine and is this: index=whatever sourcetype=whateverXxX [ | inputlookup FileName.csv | search Type="Prod" | return host=IIS_Server ] OR ([| inputlookup FileName.csv | search Type="Prod" | return host=IIS_for_XServers cs_uri_stem=Pattern_for_Servers]) | timechart span=5m count by host but when I start placing  that search in a dashboard with user inputs it looks like this: index=whatever sourcetype=whateverXxX [ | inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_Server ] OR ([| inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_for_XServers cs_uri_stem=$Pattern_for_Servers]) | timechart span=$Span_Timechart$ count by host Once implemented I get a "Search is wating for input..." even after selecting an input and clicking the submit button. But I found the solution for the dashboard is: index=whatever sourcetype=whateverXxX [ | inputlookup FileName.csv | $Type_of_deployment$ | return host=IIS_Server ] OR ([| inputlookup FileName.csv | $Type_of_deployment$ | return host=IIS_for_XServers cs_uri_stem=Pattern_for_Servers]) | timechart span=$Span_Timechart$ count by host So if you noticed the difference it's the <$field> with the return command. I don't understand the difference between  <$field> and <field>. I've searched everywhere and the documentation on it still confuses me, even posts from this community forum. Why does it matter when it comes into the dashboard? But when I use either format ( <$field> and <field>) for normal searching it doesn't have a problem and actually spits back the exact same results between the two. Which according to the documentation and from research that's not even supposed to happen. But it throws a fit when I place it into the dashboard. Can someone ELI5? Some Sources that I've used and don't make much sense to me: https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92212 https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/SearchReference/Return     ... View more
Labels

Re: How to use INPUTLOOKUP command in splunk

by in Splunk Search
‎06-02-2023 09:43 AM
‎06-02-2023 09:43 AM
Hi, I still don't understand the difference between $<field> and <fields>. Can you ELI5? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-18-2023 08:33 PM