Solved: Re: How do I do a search on an inputlookup from da...

jeradb · ‎01-30-2024

My current serach is -

| from datamodel:Remote_Access_Authentication.local
| append [| inputlookup Domain | rename name as company_domain]
| dest_nt_domain

How do I get the search to only list items in my table where | search dest_nt_domain=company_domain?

Is there another command other than append that I can use with inputlookup? I do not need to add it to the list. Just trying to get the data in to compare against the datamodel.

gcusello · ‎01-30-2024

Hi @jeradb,

let me understand: yo want to filter results from the datamodel using the lookup, is it correct?

In this case:

| from datamodel:Remote_Access_Authentication.local
| search [| inputlookup Domain | rename name AS company_domain | fields company_domain]
| ...

only one attention point: check if the field in the DataModel is named "company_domain" or "Remote_Access_Authentication.company_domain".

If the second, you have to rename it in the subsearch.

what do you want to extract from the DataModel?

maybe you could use tstats.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎01-30-2024

Hi @jeradb,

let me understand: yo want to filter results from the datamodel using the lookup, is it correct?

In this case:

| from datamodel:Remote_Access_Authentication.local
| search [| inputlookup Domain | rename name AS company_domain | fields company_domain]
| ...

only one attention point: check if the field in the DataModel is named "company_domain" or "Remote_Access_Authentication.company_domain".

If the second, you have to rename it in the subsearch.

what do you want to extract from the DataModel?

maybe you could use tstats.

Ciao.

Giuseppe

How do I do a search on an inputlookup from data loaded from datamodel

lookup

subsearch

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector