- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Dynamic search using lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wish to populate a list of index names ( > 1) from a lookup table to a search query.
Indexlookup.csv -->
COL1
index1
index2
index5
index9
search -->
query | search index="index1" OR index="index2" OR index="index5" OR index="index1" | .........................
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To do this you should create a csv file which contains the header index
e.g. index
xyz
xyz
xzy
exclude adding "index=" to the index value on the lookup.
once this lookup is created use this search string
[|inputlookup "your_lookup_name"
| search index=*
| eval search="(index=".index.") OR"
| stats values(search) as search
| eval search=tostring(search)
| eval search=substr(search,0,len(search)-3)]
this will then amalgamate the different indexes and run it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To do this you should create a csv file which contains the header index
e.g. index
xyz
xyz
xzy
exclude adding "index=" to the index value on the lookup.
once this lookup is created use this search string
[|inputlookup "your_lookup_name"
| search index=*
| eval search="(index=".index.") OR"
| stats values(search) as search
| eval search=tostring(search)
| eval search=substr(search,0,len(search)-3)]
this will then amalgamate the different indexes and run it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure what you imply by " index names ( > 1) ", however, instead of using the search you have mentioned you can try the following:
<YourBaseSearch> [|inputlookup Indexlookup.csv | rename COL1 as index| table index]
| <Your Remaining Search>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this way -
query | search [ | inputlookup Indexlookup.csv | rename COL1 as index | table index ] | ...
OR
query | search [ | inputlookup Indexlookup.csv | rename COL1 as index | table index | format ] | ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rishiaggarwal,
to do this, you have to put your indexes in a lookup with column name called index and use it in a subsearch
your_search [ | inputlookup your_indexes.csv | fields index ] | ...
I don't like this solution, I prefer to put indexes in an eventtype and use it in my searches.
Bye.
Giuseppe
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
