Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

static set of values for query

maniishpawar
Path Finder
‎06-21-2017 06:26 AM

Hi
How can I pass a static set of values to the query.
For example an array of computer names to a query that list all computers taking traffic and do a comparison with the static list to see which ones are not taking load.

Note: I specifically need to know how to pass a static set of values.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-21-2017 06:30 AM

Hi maniishpawar,
the easiest way to do this is to use a lookup containing your set of values and use it for filtering events.
In this way you can also easily manage this list using Lookup Editor App.
You have two ways to use this lookup:

  • when you can use values in a field,
  • when you use values to search without fields.

In the first case you can use something like this:

your_search [ | inputlookup your_lookup.csv | fields your_key_field ] | ...

In the second case you have to follow this method:

your_search [ | inputlookup your_lookup.csv | rename your_key_field AS query | fields query ] | ...

(remeber to use query as field name in subsearch!

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

cmerriman
Super Champion
‎06-21-2017 10:02 AM

if you're trying to avoid a lookup (after reading the answer by @cusello , though i believe that would work just fine), you could try to use a macro. add a macro in Settings>Advanced Search. it wouldn't need any arguments, just the definition. It would be something like:
computerName=x OR computerName=y OR computerName=z.... and in splunk 6.6 you could do computerName IN ("x","y","z"....)
and your search would be something like index=foo \macro`` except minus the \

or you could create an event type/tag with the field values and then search for that in your search string.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-21-2017 06:30 AM

Hi maniishpawar,
the easiest way to do this is to use a lookup containing your set of values and use it for filtering events.
In this way you can also easily manage this list using Lookup Editor App.
You have two ways to use this lookup:

  • when you can use values in a field,
  • when you use values to search without fields.

In the first case you can use something like this:

your_search [ | inputlookup your_lookup.csv | fields your_key_field ] | ...

In the second case you have to follow this method:

your_search [ | inputlookup your_lookup.csv | rename your_key_field AS query | fields query ] | ...

(remeber to use query as field name in subsearch!

Bye.
Giuseppe

Reply
Solved! Jump to solution

maniishpawar
Path Finder
‎06-21-2017 07:56 AM

Can we not do this without a lookup ?
using fields or eval or something else.
as I want to use this in alert and I am not sure if lookup will work for alert.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2017 04:42 AM

Hi maniishpawar,
Why do you think that a lookup doesn't work for alert?
alert search is a normal search, if your search with lookup correctly works as search at the same way works as alert!
Lookups is the easiest way to manage static lists.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

maniishpawar
Path Finder
‎06-22-2017 06:08 AM

I have tried to inputlookup and uploaded CSV file as well but now I am stuck as where to plug in the lookup.

This is my original query that I am trying to compare and find which servers stopped taking traffic.
how can I convert it.

index=something*prod sourcetype=iis

| stats last(index) as indx, values(source) by host
| rename host as hostname
|table indx,hostname
| dedup hostname
| join type=left max=0 hostname [ search index=something*prod sourcetype=iis earliest=-10m latest=now

| stats last(index) as indx,count by host
| rename host AS hostname | table indx, count, hostname ] | table _time, indx,hostname, count

0 Karma
Reply
Solved! Jump to solution

maniishpawar
Path Finder
‎06-22-2017 08:26 AM

I tried placing inputlook, but somehow the second query results which gets the count is not working.

|inputlookup file.csv|rename lookupservers AS hostname | fields hostname
| join type=left max=0 hostname [ search index=abc*prod sourcetype=iis earliest=-10m latest=now
| stats count by host
| rename host AS hostname | table count, hostname ] | table hostname, count

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2017 08:32 AM

Hi maniishpawar,
in subsearches there is the limit of 50.000 occurrencies, so you have to build your search in a different way.
remeber that the lookup command is similar to a left join.

if you want to add some lookup field to your output, something like this:

index=abc*prod sourcetype=iis earliest=-10m latest=now 
| lookup file.csv lookupservers AS host OUTPUT lookup_field
| stats values(lookup_field) AS lookup_field count by host 
| rename host AS hostname 
| table count hostname lookup_field

If instead you want to filter your events using your lookup try something like this:

index=abc*prod sourcetype=iis earliest=-10m latest=now 
[ | inputlookup file.csv | rename lookupservers AS host | fields host ]
| stats count by host 
| rename host AS hostname 
| table count hostname lookup_field

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-21-2017 09:05 AM

There is no reason why lookup will not work for alerts. Make sure that your lookup has correct scope/permissions so that it can be referred in the alert search.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...