Solved: Limit search results to those in a LOOKUP table

atornes · ‎12-11-2013

I have a lookup table with a bunch of results. There is a a field called "accounts" representing a list of customers. Our splunk index has data on many more accounts than the lookup table has. How can I limit the results of my query to only the ones in the Lookup table?

In pseudo code terms, I want to pull all accounts from the lookup table into the array, then limit my search with a WHERE command to the accounts in the array.

kristian_kolb · ‎12-11-2013

Search like so;

your_search_for_all_events_with_accounts [| inputlookup your_lookup_file | fields + accounts]

the subsearch (in square brackets) will run first and return a list of acctouns in the format

(accounts=aaaa) OR (accounts=bbbb) OR (accounts=cccc) OR (accounts=dddd)

which are added to the outer search, which is then run.

/k

View solution in original post

kristian_kolb · ‎12-11-2013

Search like so;

your_search_for_all_events_with_accounts [| inputlookup your_lookup_file | fields + accounts]

the subsearch (in square brackets) will run first and return a list of acctouns in the format

(accounts=aaaa) OR (accounts=bbbb) OR (accounts=cccc) OR (accounts=dddd)

which are added to the outer search, which is then run.

/k

Limit search results to those in a LOOKUP table

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...