9/1/2023 0 Comments Splunk inputlookup![]() ![]() ![]() ![]() You can also look at the Splunk format command, if you need to alter the sub-search's expression format, for example, adding * around each returned expression. Inputlookup To read a lookup file or to see the contents of a lookup file. This expression is then appended to the original search string, so the final search that Splunk executes is index=someindex host=host*p* "STATIC_SEARCH_STRING" ("alice") OR ("bob") OR ("charlie") This is a special field in sub-searches when the sub-search returns the field query, it is expanded out into the expression (field_value_1) OR (field_value_2) OR. What ever I tried nothing works sofar and I do not understand why a correct filename string can not be processed as parameter of a following (append,join etc) inputlookup command. inputlookup list250k rename ipcidr as ip eval convertiptostring (ip) lookup list65k ipcidr AS convertip OUTPUT ipcidr, list where isNotNull (ipcidr) rename ipcidr as foundin. the filename is stored in the EVENTLIST3v3. In '250k' row lookup is only IP while in second one are IP CIDR+LIST. We then use fields to ensure there is only a single field ( UserList) in the data. Lookup goes ok, but I can not get it passed further as a filename argument for the next inputlookup statement. Without the append you can only use inputlookup as a generating command at the beginning of the pipeline. What is happening here is that there is a sub-search, which does an inputlookup on the users.csv file. inputlookup mylookup appendt to the end of a search pipeline to append the data from the lookup file to the current search results. Index=someindex host=host*p* "STATIC_SEARCH_STRING" ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |