Hi Splunkers,
I have lookup with WiFi authentication data (IP-Addr, mac-addr, username) . Let's say name=wifiauth_records.csv
Periodically all records are saved to a new csv file (to the same app's directory) with equal first part of name, but with different second part which is actual date ( name=wifiauth_records_20180412.csv
).
As a result for some purpose initial file always contains only records for the last 7 days.
Now I want to create search which will open and join all this files on demand to make historical search by criteria. Something like | inputlookup wifiauth_records.csv | append [|inputlookup wifiauth_records_2018*.csv]
How can I do this with SPL?
You can try something like this:
| rest /services/data/lookup-table-files
| search title="wifiauth_records*"
| fields title
| map maxsearches=50 search="| inputlookup $title$"
Change maxsearches to a greater value if you have more than 50 lookups.
You can try something like this:
| rest /services/data/lookup-table-files
| search title="wifiauth_records*"
| fields title
| map maxsearches=50 search="| inputlookup $title$"
Change maxsearches to a greater value if you have more than 50 lookups.
Works, thank you!
Stuck on this:
| inputlookup [| REST /services/data/lookup-table-files | search eai:data=*myapp* title=wifiauth_records_201803* | fields title | eval append=" | append [ | inputlookup ", close=" ] " | eval title=append+title+close | fields title | stats values(title) as t | eval t=mvjoin(t,"") | eval a=" wifiauth_records " | eval a=a+t | fields a | return $a]
I get error Error in 'inputlookup' command: Invalid argument: '|'
Subsearch query itself returns required string that should go after | inputlookup
:
wifiauth_records| append [ | inputlookup wifiauth_records_20180303.csv ] | append [ | inputlookup wifiauth_records_20180310.csv ] ....