Hi, Splunkers!
Looking for easy way to get results from any lookup table like it might be: | inputlookup mylookup | search "keyword"
Of course this doesn't work, as I didn't specify field name.
But how could I get raws from my table where any of the field matches my request.
This might also be handy when I don't know or won't specify a field name or while searching through different tables with different field names simultaneously.
Assuming $category$ is correctly giving the lookup table name to use, give this a shot
| inputlookup $category$ | eval raw="" | foreach * [eval raw=raw.",".coalesce('<<FIELD>>',"") ] | search raw="*$keyword$*"
What is the different between your keyword and Type search textbox value?
Assuming $category$ is correctly giving the lookup table name to use, give this a shot
| inputlookup $category$ | eval raw="" | foreach * [eval raw=raw.",".coalesce('<<FIELD>>',"") ] | search raw="*$keyword$*"
What is the different between your keyword and Type search textbox value?
can you explain the point of coalesce() in the solution? Are you trying to account for null fields with blank instead of null?
I think somesoni2 has the right of it - combine the data into a giant string that you then search. Mine is just slightly different but uses the same concept
| inputlookup mylist | eval foo="" | foreach * [ eval foo = foo."|".<<FIELD>>] | search foo= *myterm* | fields - foo
I added the pipes just because /shrug. Alternatively I suppose you could populate a dropdown with the fields from whichever list the user selects. I'd do that with something like
| inputlookup $category$ | transpose | table column
Great, this approach works!
I should examine search commands more diligently )
Great suggestion, Runals, I'll add this dropdown to my form.
As for "Type search" - this is just for situations when user needs to add something to search directly in this view.
Thank you!
Thanks guys, but...
Let's say I have feeds from Inventory DB and I'd like to create view in Splunk where I can choose any category of assets (separate resulting csv tables, like inventory_pc, inventory_vm etc) and define some keyword and it will be looking for that word. Fields for each category have something different from other category - e.g. name of assets - 'PC Name', 'VM Name', 'Device Name', some categories have unique fields - you'll never know what to expect. Panel in my form should have unified search: | inputlookup $category$ | search $keyword$ $search$.
How can I achieve this?
i am not sure if i understand your task correctly, but, lets check this -
| inputlookup mylookup | search mylookup_column_name=$keyword$
try this -
| inputlookup mylookup | search keyword="value"
i have a mapZipcode lookup configured on my system and to look for Florida, and this works fine -
| inputlookup mapZipCode | search city="Florida"
Hi evelenke,
I like to use something like this to output fields out of a lookuptable when certain conditions match:
| lookup ip_info.csv src_ip OUTPUT subnet_mask, user, device
"src_ip" is the field in the lookuptable you want to match with the field in your existing search (this fields name needs to be also "src_ip") (PS: if your existing field is "source_ip" you could rename it before the lookup to "src_ip" and then after the lookup you could rename it back)
"OUTPUT" is the command after which the fields should follow you want to read out of the lookup-file.
"subnet-mask", "user", "device" are the actual field names in the lookup table
Best regards,
pyro_wood