- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Pass value to subsearch with inputlookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pass value to subsearch with inputlookup
Hi,
perhaps it is the wrong approach, but i try to use an inputlookup within a search and pass a value to this subsearch.
It looks like this:
index=myindex sourcetype=stype source=sourcename
|eval SourceHost =[|inputlookup transfer_nodes.csv
|search nodeId IN ($last_source_node_id$)
|fields name
|stats first(name) as SourceHost
|eval SourceHost="\"".SourceHost."\""
|return $SourceHost
]
|eval DestinationHost =[|inputlookup transfer_nodes.csv
|search nodeId IN ($last_dest_node_id$)
|fields name
|stats first(name) as DestinationHost
|eval DestinationHost="\"".DestinationHost."\""
|return $DestinationHost
]
|table name,SourceHost,DestinationHost
I get the following error: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.
The problem is the passing of the value $last_source_node_id$ ($last_dest_node_id$)
I already tried to map the subsearch, then the passing works, but the result is not what i expected.
Finally I would like to use a macro like GetTransferNode($last_nodeId$)
Hope you have an idea how to solve it.
best regards and thank you in advance !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I solved it by a join...
First I thought it will be to slow, but it works fine
| join type=left nodeId
[ |inputlookup transfer_nodes.csv
|rename name as DestinationHost]
...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=myindex sourcetype=stype source=sourcename
|eval SourceHost =[|inputlookup transfer_nodes.csv
|search nodeId=$last_source_node_id$
|fields name
|stats first(name) as SourceHost
|eval SourceHost="\"".SourceHost."\""
|return $SourceHost
]
|eval DestinationHost =[|inputlookup transfer_nodes.csv
|search nodeId=$last_dest_node_id$
|fields name
|stats first(name) as DestinationHost
|eval DestinationHost="\"".DestinationHost."\""
|return $DestinationHost
]
|table name,SourceHost,DestinationHost
unnecessary IN operator. How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this will not work. it is not possible to pass the token $last_dest_node_id$ to the subsearch
A map would be a possible solution like ...
|map [|inputlookup transfer_nodes.csv
|search nodeId=$last_source_node_id$]
but the table only contained the result of the subsearch, not the conbination of both searches
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=myindex sourcetype=stype source=sourcename
[|inputlookup append=t transfer_nodes.csv]
|search nodeId=$last_source_node_id$ OR nodeId=$last_dest_node_id$
| eval host_flag=case(node_id=$last_source_node_id$,"Source",node_id=$last_dest_node_id$,"Dest")
| stats values(eval(if(flag="Source",name,NULL))) as SourceHost values(eval(if(flag="Dest",name,NULL))) as DestHost by name
I think, your result is like the result of this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's token value "$last_source_node_id$"?
like A, B ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
number like 1 or 2 or ...
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
