I have a lookup table of userids that I want to use as the search terms for a fulltext search. Basically, the outer search should match if the events contain any of the userids in the lookup table.
I can make things work if I extract the proper userid field from the outer search, but I'm not positive I can write a reliable regex to extract the userid from sourcetype=ItimUsage (too much cruft in there), so I want to use a full text search to hedge my bets (false positives are cheap, missed positives are expensive).
I saw http://answers.splunk.com/answers/268992/use-subsearch-result-as-fulltext-search-in-outer-s.html, but it does not seem to work for me:
index=w_itimlogs sourcetype=ItimUsage [ | inputlookup executives | eval _raw="*" . userid . "*" | fields + _raw ]
Any thoughts as to why the outer search is not matching?
OK, this is funky but it works:
index=w_itimlogs sourcetype=ItimUsage | eval raw=_raw | search [| inputlookup executives | eval raw="*" . userid . "*" | fields raw]
I also answered it in the other question.
Did you get this to work?