Solved: how to replace a lookup part in the splunk query w...

pavanae · ‎05-18-2018

I have a query as below which gives some output

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[| inputlookup device_list.csv

| rename devip as my_ip ]

Now, I had created a small saved search to save the daily lookup result using the summery indexing concept like below

saved search name :- daily_device_list
search :-
| inputlookup device_list.csv

| rename devip as my_ip
scheduled :- once everyday
will save the results on index "summary"

Now, I am trying to replace my query with the saved search like below

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[index="summary" search_name="daily_device_list" ]

Which throws me an error as follows

Search Factory: Unknown search command 'index'.

Now, could someone assist me on what went wrong or how to modify my query to use the saved search "daily_device_list" by replacing the actuall query?

solarboyz1 · ‎05-18-2018

You need to put the search command in the box:

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[ search index="summary" search_name="daily_device_list" ]

View solution in original post

solarboyz1 · ‎05-18-2018

You need to put the search command in the box:

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[ search index="summary" search_name="daily_device_list" ]

how to replace a lookup part in the splunk query with a saved search?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!