Solved: Re: How to pass the value in main query from the l...

DataOrg · ‎08-28-2018

I have a list of server in lookup file and I want to create an alert.
The list of server names in the lookup file(around 90 servers) and I need to pass the value in the main query from the lookup file.

The column server has a value with around 90servers so I need to pass the 90 servers values in the search.

jkat54 · ‎08-28-2018

index=foo [| inputlookup yourlookup.csv OUTPUTNEW hostFieldFromLookup AS host | fields host | format host]

Which will turn into

index=foo (host=hostname1 OR host=hostname2 OR ...)

View solution in original post

493669 · ‎08-28-2018

if lookup file is already created in splunk then use

...|inputlookup <filename>

DataOrg · ‎08-28-2018

it will not work.

i need to read the lookup file and pass the value to sub-search

493669 · ‎08-28-2018

have you created lookup file in splunk? what is the name of lookup file?

DataOrg · ‎08-28-2018

i am using below search

493669 · ‎08-28-2018

can you share sample values of lookup

|inputlookup production_sites

check if this above query gives output

|inputlookup production_sites where Type="Data"|fields Type

this query only give Type="data" as field I don't hink if thats you are looking for
as fields command limits the output to show only specific fields in this case as Type

jkat54 · ‎08-28-2018

index=foo [| inputlookup yourlookup.csv OUTPUTNEW hostFieldFromLookup AS host | fields host | format host]

Which will turn into

index=foo (host=hostname1 OR host=hostname2 OR ...)

DataOrg · ‎08-28-2018

i need to get a data from lookup file and have to pass it in same query of the sub search

How to pass the value in main query from the lookup file in a list of servers?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases