Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use a variable from a lookup in a search?

wgawhh5hbnht
Communicator
‎06-21-2023 05:37 AM

I have a lookup table that contains usernames and userids. I want to use this to match a username to userid & vice versa. I want to take the output from said lookup and search across multiple indexes for the username OR the userid. It would look ruffly something like this:

|inputlookup username2userid.csv 
| search username=a@a.com 
| table username userid
| search (index=a $username$) OR (index=b $userid$)

 

If I manually replace either variable with the actual values the search works. Is it not possible to pass a variable from a lookup into a search?

 

Thank you in advance! 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2023 06:34 AM

Please try 

| inputlookup "username2userid.csv" 
| search username=a
| table username, userid 
| map search="search index=a $userid$"

this should works 

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2023 05:49 AM

Hi

basically you have two options:

  • use your current query (last line) with map command
  • Switch the order to reverse and use sub queries to get those username and userid

It depends on your event amounts etc. which one is better.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

wgawhh5hbnht
Communicator
‎06-21-2023 06:22 AM

1. Thank you for the response. I'm getting the following error when using the map command:

Unable to run query '(index=a "<REDACTED>") OR (index=b "<REDACTED>")'

I don't see anything in the search.log that is causing errror and I've tried specifying fields for both variables.

If I only search one index with one variable I get a similar error.
SEARCH:

| inputlookup "username2userid.csv" |search username=a
| table username, userid 
| map search="index=a $userid$"

ERROR:

Unable to run query 'index=hyperion "<REDACTED>"'

 

 

2. I'm unsure what you mean by "Switch the order to reverse and use sub queries to get those username and userid". May I have an example please?

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2023 06:34 AM

Please try 

| inputlookup "username2userid.csv" 
| search username=a
| table username, userid 
| map search="search index=a $userid$"

this should works 

Reply
Solved! Jump to solution

wgawhh5hbnht
Communicator
‎06-21-2023 06:38 AM

That was it! Thank you for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...