Splunk Search

inputlookup in a map search

cardinalga
Explorer

Hi splunk fellows,

Struggling a bit with the map command I never used before :

| inputlookup myfile1.csv
| append
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C"
| table site_code
--> until here everything looks fine
| map search="|inputlookup myfile1.csv | where site_code=$site_code$"

don't try too much to make sense out of it as I simplified the query but basically I'm filtering out events to get the ones I'm interested in and I create a table containing my site_code values. So far so good. Now I would like to use these values to select some specific entries in my lookup table with the map command but I'm not getting any results. It seems the $site_code$ variable is not filled in properly.

Any advice ?

Thank you

0 Karma
1 Solution

micahkemp
Champion

You would need to put $site_code$ in quotes, like this:

| inputlookup myfile1.csv 
| append 
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C" 
| table site_code 
| map [|inputlookup myfile1.csv | where site_code="$site_code$"]

I changed search="..." to [...] to make this easier to read.

You could combine the where with the inputlookup, as well:

| inputlookup myfile1.csv 
| append 
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C" 
| table site_code 
| map [|inputlookup myfile1.csv where site_code=$site_code$]

Note that this version doesn't require double quotes around $site_code$. This is because the where clause of inputlookup assumes the right hand side will be a value, whereas the where command allows you to pass field names on the right hand side, or values if in quotes. So your | where thought you were saying | where <fieldA>=<fieldB> instead of |where <fieldA>=<valueB>.

View solution in original post

mayurr98
Super Champion

can you try

| inputlookup myfile1.csv 
| append 
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C" 
| table site_code 
--> until here everything looks fine
| map search="|inputlookup myfile1.csv | where site_code=\"$site_code$\"" 

let me know if this works!

cardinalga
Explorer

This is working, many thanks for this. Actually my aim is to compare 2 lookup tables to find the list of site_codes I'm interested in. Then, based on this list, I need to modify some entries having the same site_code in the first lookup table.

Sorry for not having accepted your answer, I thought it was possible to accept several answers but apparently it is not. Thank you anyway for your help.

0 Karma

micahkemp
Champion

You would need to put $site_code$ in quotes, like this:

| inputlookup myfile1.csv 
| append 
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C" 
| table site_code 
| map [|inputlookup myfile1.csv | where site_code="$site_code$"]

I changed search="..." to [...] to make this easier to read.

You could combine the where with the inputlookup, as well:

| inputlookup myfile1.csv 
| append 
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C" 
| table site_code 
| map [|inputlookup myfile1.csv where site_code=$site_code$]

Note that this version doesn't require double quotes around $site_code$. This is because the where clause of inputlookup assumes the right hand side will be a value, whereas the where command allows you to pass field names on the right hand side, or values if in quotes. So your | where thought you were saying | where <fieldA>=<fieldB> instead of |where <fieldA>=<valueB>.

micahkemp
Champion

I had a typo in my searches. where I had search=[. When you use [ to define your map search instead of " you don't also include the search= component.

cardinalga
Explorer

This one is working too. thanks for the explanation

0 Karma

micahkemp
Champion

Despite your assertion that we shouldn't "try too much to make sense out of it", I'm going to ask that you provide some basic details regarding what the data looks like and what you want to accomplish. The reason for this is map is a bad idea in most cases. I think you'd be better served trying to find a better search, rather than troubleshooting this one.

That said, academic exercises (ie solving this one even though you may not use the answer) are still great teachers.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...