Currently the inputlookup return function requires you to input a hardcoded total of records to check when used in a subsearch. Why is this required and how do you make it return all records?
Example usage:
index=logs [| inputlookup data.csv | return 1000 name=$hostname]
I have to hard code the "1000" to tell Splunk to check 100 records in the lookup. This requirement is illogical as I always want it to check (lookup) ALL records. As a workaround, I just pick a high number that exceeds the total rows in the CSV.
@orion44 try the following
Using the table command in the sub-search:
index=logs
[| inputlookup data.csv
| fields hostname
| rename hostname as name
| table name ]
Or using the format command
index=logs
[| inputlookup data.csv
| fields hostname
| rename hostname as name
| format]
@orion44 try the following
Using the table command in the sub-search:
index=logs
[| inputlookup data.csv
| fields hostname
| rename hostname as name
| table name ]
Or using the format command
index=logs
[| inputlookup data.csv
| fields hostname
| rename hostname as name
| format]
Works perfectly, thanks!