Splunk Search

How to pass a value to the |inputlookup where , inside a subsearch

AVOLLMER
Explorer

I have a search:

index=examp1 sourcetype=json application=myservice
NOT [|inputlookup aps_test_filter.csv where application=<>| fields application prod_issue filter_field filter_values| eval {filter_field}=filter_values | fields - filter_field filter_values | stats values(*) as * by prod_issue | fields - prod_issue]

The CSV files has a set of filters to apply for each application. It is correctly output-ing these filters to my main search string as follows:

`NOT ((application=myservice AND field1_prod_issue1=value AND field2_prod_issue1=value)

OR (application=myservice AND field1_prod_issue2=value AND field2_prod_issue2=value))`

The problem is I have a ton of filters in the CSV and I don't need them all to be looked up and applied to the search string, I only want the rows that match the correct application to be used.

I know that the subsearch runs first, which prevents me from passing values to it from my main search. Is there a way to achieve this? I have everything from the NOT, onward, in a macro that I want to append to all my alerts, reports.

Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How are you passing application name to your main search?

0 Karma

AVOLLMER
Explorer

I want to pass application name from my main search to the subsearch to use it to filter values in the inputlookup and extract the values I want to use to filter the main search.

My csv files has application, filter_field , filter_values, prod_issue, timestamp, user. I don't care about the last 2 columns... my subquery takes those columns and for each prod_issue make a parenthesis set with OR statements between them.. inside the parenthesis is has application=myservice AND field1_prod_issue1=value AND field2_prod_issue1=value for each field / value pair that exists per prod_issue, as shown in the example above. They way I currently have it set up, it works fine, except it pulls all of the for every application...but I only want it to pull the field / value pairs for the application currently being searched for, not EVERY possible combination.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So you want to take all the application from index=examp1 sourcetype=json and only apply filters for those apps?
If yes, you can do this dirty workaround:

index=examp1 sourcetype=json  NOT [|inputlookup aps_test_filter.csv | where [search index=examp1 sourcetype=json | stats count by application | table application]| fields application prod_issue filter_field filter_values| eval {filter_field}=filter_values | fields - filter_field filter_values | stats values(*) as * by prod_issue | fields - prod_issue]

But it may be more in-efficient than having all application filters being applied (subsearch inside subsearch). What's the problem that you see when all application filters are applied?

0 Karma

AVOLLMER
Explorer

That work around wouldn't work as any index or sourcetype could be used, and a user might pick an application or 3 applications might result from the rest of whatever they happen to be searching for. Then I would have to pass the whole search inside.

I don't necessarily have a problem with it pulling all of the values out, it works as expected, I just anticipate this lookup to grow really big and it could have a couple hundred AND / OR combinations to filter on if I can't figure out a way to only pull only those filters that are applicable to the applications which result from the main search.

0 Karma

p_gurav
Champion

Hi AVOLLMER,

Try using this map command. Refer below link:
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Map

0 Karma

AVOLLMER
Explorer

Thanks for you answer p_gurav , unfortunately, I don't see how I can prepend the results from the map subsearch with the NOT operator to filter the results in my original search as indicated in the questions.
If I do this:
index=examp1 sourcetype=json application=myservice <can't put NOT here since results are on other side of pipe >|map[|inputlookup aps_test_filter.csv where application=$application$| fields application prod_issue filter_field filter_values| eval {filter_field}=filter_values | fields - filter_field filter_values | stats values(*) as * by prod_issue | fields - prod_issue]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...