I want to limit the search that matches the values...

innoce · ‎01-31-2022

I want to limit the search that matches the "dest" values which are a part of lookup
Currently I am getting all events 😐

Lookup: host.csv lookup columns: aa bb

I tried something like below:

|tstats summariesonly=f count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (condition)[|inputlookup host.csv |fields + aa |rename aa as Processes.dest] by Processes.dest

Any help would be appreciated!

Thanks

diogofgm · ‎01-31-2022

I would check the inspector as it should give you some hints on what the final search that splunk is using after the sub search. Check remoteSearch

------------
Hope I was able to help you. If so, some karma would be appreciated.

richgalloway · ‎01-31-2022

Please tell us more about what you're trying to do. What results do you want?

Have you looked at the manual for the inputlookup command? It accepts a where option that limits the matches. See https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Inputlookup#Syntax

---
If this reply helps you, Karma would be appreciated.

I want to limit the search that matches the values which are a part of lookup

lookup

tstats

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms