Help required regarding lookup

deepusoundar · ‎02-25-2019

I have a lookup(search_query.csv) with data as below.

Name Subcategory Query
Get      Vehicle          index=abc I where api=fig I table api msg
Post    Summary      index=cfg I where api=his I table api msg

[Note : lookup has 1000's row data such as above]

Now I would want to run a query using the above lookup,when name and subcategory matches,it has to execute the corresponding query. (i.e., use Name and Subcategory as input and get the query as output and use the output query as the search).

Is it possible?????

lakshman239 · ‎02-26-2019

pls download the https://splunkbase.splunk.com/app/1603/ app and install on your dev instance and you can look for 'Drilldown Elements' and it has samples in Drilldown Link Dashboard. A few others can also help you.

You can your base search which is something like index=* | inputlookup search_query.csv Name subcategory OUTPUT query .. this will show results in the first dashboard panel. When users click any row, you can then use token [ will have contents of query] and pass it to drill-down search to run that and return results in another panel within the same dashboard.

lakshman239 · ‎02-26-2019

if you are happy with the solution, pls accept to close the thread.

cvssravan · ‎02-25-2019

To my knowledge, you cannot pass the whole query from the output of lookup for a search.
But if you have query with fixed variables as you mentioned in the sample and constant query, you can try something like this:
index=abc I where api=fig I table api msg
Split the fields from the query into individual fields
ex: index_from_lookup=abc , api_from_lookup=fig, so you lookup looks like this

Name Subcategory index_from_lookup api_from_lookup
Get Vehicle abc fig
Post Summary cfg his

and then pass them to map command after the lookup. Sample is shown below. I have used "where" instead of "lookup command" for sample as I don't have the csv to do lookup

If you have limited searches in lookup and if you can create macros for each search, you can try this after you have the macro name from output of lookup
| map search="search $macro_name_from_lookup_output$ " (This will not be an option for you if you have 1000 different queries in your lookup).

Hope it helps.

lakshman239 · ‎02-25-2019

Are you trying to use this in dashboard?

|makeresults | eval Name="Get", Subcategory="Vehicle" | inputlookup search_query.csv Name Subcategory OUTPUT Query

the above will return your search (Query).

deepusoundar · ‎02-25-2019

Yes,am tryinh to use this for dashboard only..

I just do not want to get the query as result instead i would want to execute the query and see the result of that query..

For example,
For an event matching Name and subcategory,it has to fetch the query from lookup and execute that search and show the result..

somesoni2 · ‎02-25-2019

How are you planning to execute the query and how are you selecting/providing those Name/Subcategory field values? Are they going to come from a dropdown or something?

deepusoundar · ‎02-25-2019

The name and subcategory as they come in the event,when they get matched,they are used as input of lookup and query as the output and that query has to be executed

lakshman239 · ‎02-26-2019

You cannot do that in the search pipeline to my knowledge. you may be able to achieve that in a dashboard, but having a search which matches Name and subcategory as input against your events returning the Query. And when user clicks it, you can show/run the search to return results in another window/panel in the dashboard [ drill-down search]

deepusoundar · ‎02-26-2019

Can yu help me on how to proceed with it

Help required regarding lookup

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases