Good evening.
I have a query that currently does what I need it to do, searching on a particular value, "foo". This is tied to a form view, so users can simply enter "foo" in a box and the fairly intricate search retrieves what they need. Great. The log events in Splunk reference the value "foo", but it turns out the users actually don't have access to the values for "foo". They only know things by a different value, "bar". There's a backend database somewhere that creates a unique value "bar" for every unique value "foo". Thankfully, we have a CSV extract from the database with two columns, "foo" and "bar" ~2100 of them.
I've been going through the lookup documentation in the Splunk KnowledgeBase as well as here on Splunk>answers, but I'm still at a loss. I don't think using the subsearch as I've seen is what I want, or if it is, I'm not sure how to use it. I need to have the user enter "bar" and lookup the corresponding value for "foo" in the CSV Lookup so the search query is actually referencing the value for "foo" (the value for "bar" doesn't appear in any of our events).
I'm thinking what I need is something like:
[inputlookup lookup.csv | fields foo,bar | where bar=$bar$ | fields foo]
At least, conceptually, that's what I'm thinking, I guess ...
