![]() Since it sees no leading pipe, you end up sending "search | inputlookup" to splunkd, hence your error. The reason is that the search box will always prefix the search with the "search" command if it doesn't see a leading pipe. If I use the token as default, only the first value 'value1. ![]() Currently the values do not show up at all. value1, value2, value3 should show up as a seperate initial values in the multiselect input. In case your lookup file contains time in seconds since the epoch, you can also add the time filter into the WHERE clause of inputlookup, e.g. As of now i'm having a query which will compare the firewall outbound traffic and display any blacklisted ip which is present in the inputlookup. The inputlookup of lookup.csv does return a single column with multiple rows if run in a seperate search: column - value1 value2 value3. I need to compare the inputlookup with the fortinet firewall and display the count of the destination IP along with the srcip. After this, select an index or create a new index and add data and start searching. Try the following Dashboard code, which uses multiselect to reach Dates from startenddate.csv (you can use your own lookup filename instead). Now time field value will be the same as timestamp value in your CSV file. Use either outer or left to specify a left outer join. In setting -> Add Data -> Upload, select your CSV file. Description: Options to the join command. The inputlookup command is an event-generating command. ![]() Syntax: type (inner outer left) usetime earlier overwrite max. Indeed, if the macro has the leading pipe character in the definition, and you then use that macro in the search box as myMacro, there's your problem. I have a blacklisted inputlookup csv which contains 20000 blacklisted ip. You must first change the case of the field in the subsearch to match the field in the main search. I think this would also explain why the tweaked macro does work, because the "something before" would just get quietly flattened and thrown away by that | stats count HI All I have a lookup table which is populated by a scheduled search once everyday. JSESSIONID firsttime lasttime inputlookup sessionstate.csv appendtrue. Or at least the way Splunk thinks the macro is being used. Splunk will also have created a lookup named sessions.csv as a result of the. So it's not so much the macro that doesn't work, as the way the macro is being used. Ie, running this search will give you the exact same error in the UI * | inputlookup customer-details.csv It sounds like you're using the macro in a place where there's something in front of it, even i that something is just "*" ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |