![]() You can also look at the Splunk format command, if you need to alter the sub-search's expression format, for example, adding * around each returned expression. This expression is then appended to the original search string, so the final search that Splunk executes is index=someindex host=host*p* "STATIC_SEARCH_STRING" ("alice") OR ("bob") OR ("charlie") For human readable output, the table command is supported in the query argument. create a Splunk Lookup Input and Output lookup. This is a special field in sub-searches when the sub-search returns the field query, it is expanded out into the expression (field_value_1) OR (field_value_2) OR. You can use Splunk to define a user lookup table and then configure the. Splunk Lookup Vs Inputlookupsubsearch Use subsearch to filter results. We then use fields to ensure there is only a single field ( UserList) in the data. 1 Solution Solution acharlieh Influencer 04-08-2016 10:50 AM For reference: the docs have a page for each command: lookup inputlookup and outputlookup. What is happening here is that there is a sub-search, which does an inputlookup on the users.csv file. I want to perform a search where I need to use a static search string + input from a csv file with usernames: Search query- indexsomeindex hosthostp 'STATICSEARCHSTRING' Value from users.csv where the list is like this- Please note that User/UserList is NOT a field in my Splunk: UserList User1 User2 User3. Index=someindex host=host*p* "STATIC_SEARCH_STRING"
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |