Splunk Search

inputlookup - How to search through all lookup fields

evelenke
Contributor

Hi, Splunkers!

Looking for easy way to get results from any lookup table like it might be: | inputlookup mylookup | search "keyword"
Of course this doesn't work, as I didn't specify field name.
But how could I get raws from my table where any of the field matches my request.
This might also be handy when I don't know or won't specify a field name or while searching through different tables with different field names simultaneously.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Assuming $category$ is correctly giving the lookup table name to use, give this a shot

 | inputlookup $category$ | eval raw="" | foreach * [eval raw=raw.",".coalesce('<<FIELD>>',"") ] | search raw="*$keyword$*" 

What is the different between your keyword and Type search textbox value?

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Assuming $category$ is correctly giving the lookup table name to use, give this a shot

 | inputlookup $category$ | eval raw="" | foreach * [eval raw=raw.",".coalesce('<<FIELD>>',"") ] | search raw="*$keyword$*" 

What is the different between your keyword and Type search textbox value?

makelovenotwar
Path Finder

can you explain the point of coalesce() in the solution? Are you trying to account for null fields with blank instead of null?

0 Karma

Runals
Motivator

I think somesoni2 has the right of it - combine the data into a giant string that you then search. Mine is just slightly different but uses the same concept

| inputlookup mylist | eval foo="" | foreach * [ eval foo = foo."|".<<FIELD>>] | search foo= *myterm* | fields - foo

I added the pipes just because /shrug. Alternatively I suppose you could populate a dropdown with the fields from whichever list the user selects. I'd do that with something like

| inputlookup $category$ | transpose | table column
0 Karma

evelenke
Contributor

Great, this approach works!
I should examine search commands more diligently )
Great suggestion, Runals, I'll add this dropdown to my form.
As for "Type search" - this is just for situations when user needs to add something to search directly in this view.
Thank you!

0 Karma

evelenke
Contributor

Thanks guys, but...
Let's say I have feeds from Inventory DB and I'd like to create view in Splunk where I can choose any category of assets (separate resulting csv tables, like inventory_pc, inventory_vm etc) and define some keyword and it will be looking for that word. Fields for each category have something different from other category - e.g. name of assets - 'PC Name', 'VM Name', 'Device Name', some categories have unique fields - you'll never know what to expect. Panel in my form should have unified search: | inputlookup $category$ | search $keyword$ $search$.

alt text

How can I achieve this?

0 Karma

inventsekar
Ultra Champion

i am not sure if i understand your task correctly, but, lets check this -
| inputlookup mylookup | search mylookup_column_name=$keyword$

0 Karma

inventsekar
Ultra Champion

try this -

 | inputlookup mylookup | search keyword="value"

i have a mapZipcode lookup configured on my system and to look for Florida, and this works fine -
| inputlookup mapZipCode | search city="Florida"

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi evelenke,

I like to use something like this to output fields out of a lookuptable when certain conditions match:

| lookup ip_info.csv src_ip OUTPUT subnet_mask, user, device

"src_ip" is the field in the lookuptable you want to match with the field in your existing search (this fields name needs to be also "src_ip") (PS: if your existing field is "source_ip" you could rename it before the lookup to "src_ip" and then after the lookup you could rename it back)

"OUTPUT" is the command after which the fields should follow you want to read out of the lookup-file.
"subnet-mask", "user", "device" are the actual field names in the lookup table

Best regards,
pyro_wood

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...