Splunk Search

subsearch with inputlookup

archananaveen
Explorer

| inputlookup clusName.csv | fields cluster ----works in a dropdown and has around 10 entries

Now, I need to use the values in the cluster field to display rest of the information.

index = * sourcetype=***** eventtype=* | stats values(eventtype) as Eventtype values(source) as Source values(host) as Host by values[|inputlookup clusName.csv | fields cluster]

I get till Host details fine. But it doesn't work on the output of input lookup field. Is this possible to achieve?

0 Karma

archananaveen
Explorer
| rex field=source "(\/\w+){2}\/(?<clus>[^\/]*)" | dedup clus | sort clus | table clus | outputlookup clusName.csv

sample source fields has below patterns

/field1/field2/field3/asdf/asdf
/tab1/tab2/tab3/asfda/asdf

Now trying to use the inputlookup values in search. The inputlookup works fine on dropdown.

This is not working though:index = sourcetype=xxxxx eventtype=* [|inputlookup clusName.csv | fields cluster] | stats values(eventtype) as Eventtype values(source) as Source values(host) as Host by cluster

0 Karma

HiroshiSatoh
Champion

You can not use fields unless you combine fields with Lookup or Join.
If the cluster field does not exist, you need to extract the field so please present the sample log.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Try putting your subsearch as part of your base search:

index = sourcetype= eventtype=* [|inputlookup clusName.csv | fields cluster] | stats values(eventtype) as Eventtype values(source) as Source values(host) as Host by cluster
0 Karma

archananaveen
Explorer

No results are displayed. I do not have cluster field in the index but only in the lookup table. I can't even get to display output of inputlookup parsed into display as table along with other fields. Output column for cluster field is always empty. But let alone inputlookup works fine and it as well works in a dashboard too.

cluster field has the entries based on the "source" field. Using regex a part of string was stripped from the source field. What else could I try to get this going?

0 Karma

niketn
Legend

Can you try the following if the cluster field is available in your lookup file as well as indexed data.

index = sourcetype= eventtype=*  [|inputlookup clusName.csv | fields cluster]
| stats values(eventtype) as Eventtype values(source) as Source values(host) as Host by cluster 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...