Is there a way to modify an inputlookup subsearch ...

cogden · ‎06-28-2018

I have a subsearch doing "| inputlookup" against a CSV... the implied operator is equals. "Column/Field = Cell Value" ... is anybody aware of a way to overload or modify that operator from equals to IN. For example, if my cell value is a comma-separated list value1,value2 I dont want the search to be field="value1,value2" I would want the search to be field IN (value1,value2)

Example search:
|tstats count WHERE [inputlookup test.csv]

Example: test.csv:
mycolumn
value1,value2

Desired expanded search:
|tstats count WHERE mycolumn IN (value1,value2)

Actual expanded search:
| tstats count WHERE mycolumn="value1,value2"

woodcock · ‎06-30-2018

Use this macro:

[convert_search_from_ORs_to_IN]
definition = rename COMMENT AS "EXTREME WARNING!!! THIS IS ONLY VALID IF YOU ARE USING A SINGLE FIELD!!!!"\
| rex field=search mode=sed "s/^\(\s*\(\s*// s/\s*\)\s*\)$/)/ s/=/ IN(/ s/\s*\)\s*OR\s*\([^=]+=/,/g"
errormsg = Description: Author=Gregg Woodcock; this is necessary because if the number of characters in a search string is too great, the search may fail; this conversion saves ~50%!
iseval = 0

Then, any place where you are doing something like this:

index=foo [|inputlookup tableOfHosts | table host]

Change it to this:

index=foo [|inputlookup tableOfHosts | table host | `convert_search_from_ORs_to_IN`]

cogden · ‎06-28-2018

SOLVED INTERNALLY:

Adding to the subsearch an eval split based on comma followed by an mvexpand accomplishes a similar result:

Example:

|tstats count WHERE [ | inputlookup test.csv | eval mycolumn = split(mycolumn,",") | mvexpand mycolumn ]

Is there a way to modify an inputlookup subsearch from an implied equals operator to an "IN" operator?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!