- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- help with inputlookup and a subsearch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
hello
In the search below I try to match host in "host.csv" with host which comes from a subsearch
| inputlookup host.csv
| table host
| join type=left host
[ search index=master-data-lookups sourcetype="view_splunk_assets"
| stats count by HOSTNAME TOWN COUNTRY
| fields - count
| rename HOSTNAME as host]
what is the problem because I have results when i execute | inputlookup host.csv OR index=master-data-lookups sourcetype="view_splunk_assets"
| stats count by HOSTNAME TOWN COUNTRY
| fields - count
| rename HOSTNAME as host
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Try this:
index=master-data-lookups sourcetype="view_splunk_assets"
| stats count by HOSTNAME TOWN COUNTRY
| fields - count
| rename HOSTNAME as host
| appendpipe [|inputlookup host.csv
| table host
| eval sourcetype="csv"]
| stats values(*) AS * BY host
| search sourcetype="csv"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
In your search statement, "host.csv" is 1 and ”subsearch” is the first one.
If you want "host.csv" to connect multiple ”subsearch” to 1 change the max value.
host.csv
A
B
C
”subsearch”
A TOWN1 COUNTRY1
A TOWN2 COUNTRY2
C TOWN3 COUNTRY3
C TOWN4 COUNTRY4
your search results
A TOWN1 COUNTRY1
B
C TOWN3 COUNTRY3
What do you want to do?
join-options
Syntax: type=(inner | outer | left) | usetime= | earlier= | overwrite= | max=
Description: Options to the join command. Use either outer or left to specify a left outer join.
max
Syntax: max=
Description: Specifies the maximum number of subsearch results that each main search result can join with. If set to max=0, there is no limit.
Default: 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Try this:
index=master-data-lookups sourcetype="view_splunk_assets"
| stats count by HOSTNAME TOWN COUNTRY
| fields - count
| rename HOSTNAME as host
| appendpipe [|inputlookup host.csv
| table host
| eval sourcetype="csv"]
| stats values(*) AS * BY host
| search sourcetype="csv"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
thanks a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
What is the significance to putting the index search first?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Because the appendpipe [|inputlookup ...] trick that I invented somehow bypasses the subsearch limits, but the normal search will not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
What do you get when you run this entire search? Do you get records from your lookup table and nothing from the index?
It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!
Review:
SOAR (f.k.a. Phantom) >>
Enterprise Security >>
Splunk Enterprise or Cloud for Security >>
Observability >>
Or Learn More in Our Blog >>
