- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- combine two pieces of code
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have two pieces of codes executed in orders. The first piece generates a lookup table by "|outputlookup test.csv", then the second piece uses the lookup table generated by calling "|inputlookup test.csv". Can I combine them into ONE piece of code?
search1
| outputlookup test.csv
search2
[ inputlookup test.csv | fields IP]
| ....
Thanks and Regards,
xiangtaner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's probably an easy and cleaner way to do this but we would need to know exactly what you are trying to achieve and what search1 and search2 are.
If all you are looking for is a quick answer, try the following with appendcols:
search1
| outputlookup test.csv
| fields - *
| appendcols [ |inputlookup test.csv | fields IP]
EDIT to include answer below:
Would it not be easier in that case and probably more efficient to maintain a scheduled job populating your test.csv file every 15 or 30 minutes and then simply doing the following when you want to apply the IP filtering:
your search here
| lookup my_ip_filter_based_on_test_csv IP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's probably an easy and cleaner way to do this but we would need to know exactly what you are trying to achieve and what search1 and search2 are.
If all you are looking for is a quick answer, try the following with appendcols:
search1
| outputlookup test.csv
| fields - *
| appendcols [ |inputlookup test.csv | fields IP]
EDIT to include answer below:
Would it not be easier in that case and probably more efficient to maintain a scheduled job populating your test.csv file every 15 or 30 minutes and then simply doing the following when you want to apply the IP filtering:
your search here
| lookup my_ip_filter_based_on_test_csv IP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks javiergn for the inputs and sorry that I didn't specify the detailed usage of the lookup table test.csv generated from the first step. The test.csv stores a list of IPs for further exploration. Then in the second step, from a very big source I would like to use the test.csv to filter out all irrelevant IPs by excluding them if they are not present in test.csv.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In summary, you want to filter out and only display those present in test.csv correct?
Would it not be easier in that case and probably more efficient to maintain a scheduled job populating your test.csv file every 15 or 30 minutes and then simply doing the following when you want to apply the IP filtering:
your search here
| lookup my_ip_filter_based_on_test_csv IP
If you still want to run everything in one search then my previous answer is probably good enough.
Hope that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks javiergn, yes, this seems to be the right direction to maintain a scheduled job populating the lookup table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No worries. If you found the answer useful please remember to mark it / vote it so that others can benefit from it.
Thanks,
J
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
