<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Field Name/Value Pairs - Searching with a Lookup Table in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Field-Name-Value-Pairs-Searching-with-a-Lookup-Table/m-p/33527#M5994</link>
    <description>&lt;P&gt;I'm looking to read in a set of field name/value pairs from a given lookup table (using inputlookup) and then use that as a set of parameters in a search. Specifically, I'm looking to search for "field_name = X" value in a given index and then use that list of field/value pairs as an exclusion list to what I'm searching for. I could also have multiple sets of field/value pairs. So, in other words, in plain english:&lt;/P&gt;

&lt;P&gt;Search for FieldName = X in ABC Index&lt;BR /&gt;
But not if (A=blah AND B=doh AND C=meh) OR (B=meh AND C=blah)&lt;BR /&gt;
(etc.)&lt;/P&gt;

&lt;P&gt;and the A/blah, B/doh, C/meh etc. values would all be field/value pairs in the lookup table that are read in via inputlookup. &lt;/P&gt;

&lt;P&gt;So far I've successfully used inputlookup w/csv tables for filtering out/including single values where I pre-define the field name in the search, but I haven't found a good way of doing more complicated logic where the field name is actually being read from a table and you can have multiple groupings. I'd appreciate any feedback/help anyone has to offer. Thanks!&lt;/P&gt;</description>
    <pubDate>Tue, 13 Aug 2013 19:24:22 GMT</pubDate>
    <dc:creator>SplunkMonster</dc:creator>
    <dc:date>2013-08-13T19:24:22Z</dc:date>
    <item>
      <title>Field Name/Value Pairs - Searching with a Lookup Table</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-Name-Value-Pairs-Searching-with-a-Lookup-Table/m-p/33527#M5994</link>
      <description>&lt;P&gt;I'm looking to read in a set of field name/value pairs from a given lookup table (using inputlookup) and then use that as a set of parameters in a search. Specifically, I'm looking to search for "field_name = X" value in a given index and then use that list of field/value pairs as an exclusion list to what I'm searching for. I could also have multiple sets of field/value pairs. So, in other words, in plain english:&lt;/P&gt;

&lt;P&gt;Search for FieldName = X in ABC Index&lt;BR /&gt;
But not if (A=blah AND B=doh AND C=meh) OR (B=meh AND C=blah)&lt;BR /&gt;
(etc.)&lt;/P&gt;

&lt;P&gt;and the A/blah, B/doh, C/meh etc. values would all be field/value pairs in the lookup table that are read in via inputlookup. &lt;/P&gt;

&lt;P&gt;So far I've successfully used inputlookup w/csv tables for filtering out/including single values where I pre-define the field name in the search, but I haven't found a good way of doing more complicated logic where the field name is actually being read from a table and you can have multiple groupings. I'd appreciate any feedback/help anyone has to offer. Thanks!&lt;/P&gt;</description>
      <pubDate>Tue, 13 Aug 2013 19:24:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-Name-Value-Pairs-Searching-with-a-Lookup-Table/m-p/33527#M5994</guid>
      <dc:creator>SplunkMonster</dc:creator>
      <dc:date>2013-08-13T19:24:22Z</dc:date>
    </item>
    <item>
      <title>Re: Field Name/Value Pairs - Searching with a Lookup Table</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-Name-Value-Pairs-Searching-with-a-Lookup-Table/m-p/33528#M5995</link>
      <description>&lt;P&gt;Where do you get stuck with using inputlookup? Let's say you have the following lookup:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;A,B,C
blah,doh,meh
,meh,blah
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;This will translate into the filter string you've specified (you can see this for yourself by running "&lt;CODE&gt;|inputlookup yourlookup | format&lt;/CODE&gt;"):&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;( ( A="blah" AND B="doh" AND C="meh" ) OR ( B="meh" AND C="blah" ) )
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;To negate this, just put a NOT before the subsearch. So in conclusion, you'll want something like:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=ABC FieldName=X NOT [|inputlookup yourlookup]
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 13 Aug 2013 19:43:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-Name-Value-Pairs-Searching-with-a-Lookup-Table/m-p/33528#M5995</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2013-08-13T19:43:11Z</dc:date>
    </item>
    <item>
      <title>Re: Field Name/Value Pairs - Searching with a Lookup Table</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-Name-Value-Pairs-Searching-with-a-Lookup-Table/m-p/33529#M5996</link>
      <description>&lt;P&gt;You might look at subsearches and use of the "format" search command, sending extra non-default arguments to "format". It may be able to do what you want.&lt;/P&gt;</description>
      <pubDate>Tue, 13 Aug 2013 22:55:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-Name-Value-Pairs-Searching-with-a-Lookup-Table/m-p/33529#M5996</guid>
      <dc:creator>gkanapathy</dc:creator>
      <dc:date>2013-08-13T22:55:58Z</dc:date>
    </item>
  </channel>
</rss>

