Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

use inputlookup output as fulltext search in outer search

wegscd
Contributor
‎07-10-2015 08:29 AM

I have a lookup table of userids that I want to use as the search terms for a fulltext search. Basically, the outer search should match if the events contain any of the userids in the lookup table.

I can make things work if I extract the proper userid field from the outer search, but I'm not positive I can write a reliable regex to extract the userid from sourcetype=ItimUsage (too much cruft in there), so I want to use a full text search to hedge my bets (false positives are cheap, missed positives are expensive).

I saw http://answers.splunk.com/answers/268992/use-subsearch-result-as-fulltext-search-in-outer-s.html, but it does not seem to work for me:

index=w_itimlogs sourcetype=ItimUsage [ | inputlookup executives | eval _raw="*" . userid . "*" | fields + _raw ]

Any thoughts as to why the outer search is not matching?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-10-2015 01:08 PM

OK, this is funky but it works:

 index=w_itimlogs sourcetype=ItimUsage | eval raw=_raw | search [| inputlookup executives | eval raw="*" . userid . "*" | fields raw]

I also answered it in the other question.

Reply

woodcock
Esteemed Legend
‎07-17-2015 09:42 PM

Did you get this to work?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...