- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I combine 2 searches consisting of inputlo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I combine 2 searches consisting of inputlookup and outputlookups?
how can i combine queries to populate a lookup table?
I have a lookup table with the following values
item
1
2
3
i'm using the splunk web framework to allow a user to insert an item. if the user enters 3 then item 3 is changed to 4 and item 3 is inserted. the field input_item represents the value entered by the user. i'm using the query below to first renumber item 3 to 4 and to insert item 3 via an appended search.
| inputlookup item.csv
| eval input_item = 3
| eval itemnumber = if(itemnumber >= input_item, itemnumber +1, itemnumber)
| fields - input_item
| outputlookup item.csv
| append [
| inputlookup item.csv | stats count as testcount
| eval input_item =3
| eval itemnumber = input_item
| fields - testcount
| outputlookup item.csv append=true]
unfortunately, the new item is created with a value of 4 instead of 3.
is there way to combine these two queries or do i need to create 2 separate queries via 2 separate searches in the search manager?
thanks in advance,
Peter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pc1234 since you are anyways using Splunk Web Framework, this scenario seems to be a valid case for KV Store. So, you should try KV Store in place of Lookup: http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEZT
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PC1234, looks like you just want to modify your CSV and add a row to it. I am guessing that the csv gets evaluated once in the query, so try this:
| inputlookup item.csv
| eval input_item = 3
| eval itemnumber = if(itemnumber >= input_item, itemnumber +1, itemnumber)
| append [|makeresults | eval itemnumber = input_item | table itemnumber]
| fields - input_item
| outputlookup item.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI, I verified that the lookup is only loaded/evaluated when the search gets parsed by doing this:
| makeresults
| eval data= "ITEM=1 ;ITEM=2; ITEM=3"
| makemv data delim=";"
| mvexpand data
| rename data as _raw | KV | table ITEM | outputlookup items.csv | append [|inputlookup items.csv]
If the lookukp were processed for each reference, I would get two records each for ITEM=1, ITEM=2, ITEM=3
Instead the results look like:
ITEM
1
2
3
Run the same query again and I get:
ITEM
1
2
3
1
2
3
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
