×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
RBolconte
Loves-to-Learn Lots
Member since: ‎08-14-2023
‎08-15-2023
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-14-2023
View All

Re: Inner Join with subsearch using Splunk Python

by in Splunk Search
‎08-15-2023 12:47 PM
‎08-15-2023 12:47 PM
I ran it without the "search" at the beginning of the string just using the inputlookup and it worked, now I just need to understand how to make the inputlookup work as a subsearch, is it possible with savedsearch? Not sure what this is, I'll look into it. ... View more

Re: Inner Join with subsearch using Splunk Python

by in Splunk Search
‎08-15-2023 11:28 AM
‎08-15-2023 11:28 AM
I just ran the csv search and it actually returned nothing (Splunk API): | inputlookup maintenance_window.csv max=0 | eval Name=lower(Name) | table Name, maint_down_start_time, maint_down_end_time, change_ticket However, in splunk I can return the values through manual search, that is, the user has access to the search. Can you tell if it's something from the api? ... View more

Re: Inner Join with subsearch using Splunk Python

by in Splunk Search
‎08-15-2023 06:22 AM
‎08-15-2023 06:22 AM
If I take the earliest_time and latest_time from kwargs_export, it remains the same, without joining the information from maintenance_window.csv ... View more

How to create Inner Join with subsearch using Splu...

by in Splunk Search
‎08-14-2023 12:42 PM
‎08-14-2023 12:42 PM
I'm doing a main search of a sourcetype, then I need to join with a csv file using the inputlookup, both the main search and the subsearch have the `Name` column, but when sending the complete search through the api, it does not return the values correctly, but when I do the search manually in splunk it works correctly. import splunklib.client as client service = client.connect(host=host, port=port, username=user, password=password) search = '''search''' + '''index="aiops_main" sourcetype="scom_np" OR sourcetype="scom_p" type="*SQL*" AND (type="*AlwaysOn*" OR type="*Server Service Stopped*") | join type=left Name [| inputlookup maintenance_window.csv max=0 | eval Name=lower(Name) | table Name, maint_down_start_time, maint_down_end_time, change_ticket] | eval is_maintenance = if((alwayson_failovertime >= maint_down_start_time) AND alwayson_failovertime < maint_down_end_time,"true","false") | table Name, type, is_maintenance ''' kwargs_export = { "earliest_time": '1', "latest_time": "now", "search_mode": "normal", "exec_mode": "blocking", } # Create job and return results try: job = service.jobs.create(search, parse_only=False, **kwargs_export) print(time.strftime('\n%Y_%m_%d__%H:%M:%S')) print("...done!") except Exception as e: print("Trouble connecting to Splunk. Try again in a few seconds") raise e This error appears: "INFO: [subsearch]: Your timerange was substituted based on your search string" In short: the is_maintenance field when run manually in Splunk returns some lines as True, while running the same search in python returns all as False.   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-15-2023 05:13 PM