![]() You can also look at the Splunk format command, if you need to alter the sub-search's expression format, for example, adding * around each returned expression. This expression is then appended to the original search string, so the final search that Splunk executes is index=someindex host=host*p* "STATIC_SEARCH_STRING" ("alice") OR ("bob") OR ("charlie") ![]() This is a special field in sub-searches when the sub-search returns the field query, it is expanded out into the expression (field_value_1) OR (field_value_2) OR. We then use fields to ensure there is only a single field ( UserList) in the data. ![]() What is happening here is that there is a sub-search, which does an inputlookup on the users.csv file. Use outputformatsplunkmvcsv when you want to output multivalued fields to a lookup table file, and then read the fields back into Splunk using the inputlookup command. inputlookup where 0 Karma Reply 1 Solution Solution guilmxm Influencer 08-11-2014 02:21 PM Hi, When using inputlookup you should use 'search' instead of where, in my experience i had various trouble using where command within inputlookup, but search always worked as expected. Splunk KV Store, the lookup table requires a. ![]() Index=someindex host=host*p* "STATIC_SEARCH_STRING" Splunk Inputlookup Vs LookupLookup Definition and Automatic Lookup ( Part 2 ). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |