https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57612#M14049 <P>Perhaps you can investigate the inputlookup / outputlookup methods of creating and maintaining a lookup file, e.g.</P> <P><CODE>|inputlookup file | modify stuff | outputlookup file</CODE></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup</A></P> <P><A href="http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/">http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/</A></P> <P>/K</P> Mon, 09 Sep 2013 08:46:00 GMT kristian_kolb 2013-09-09T08:46:00Z https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57611#M14048 <P>I need a search which returns events where a specific field contains any one of many values. Typically this is done with the "OR" logical operator. However, I need to search for thousands of values which cannot be expressed using a regular expression.</P> <P>I've seen discussions of using "lookups" for this. However, if I understand correctly, that would require administrative access to the Splunk server (which I don't have) to configure the lookup file and later update it.</P> <P>I've also seen suggestions to write a script to generate a massive search string with all the "OR"s in it. I'd like to investigate other solutions before adopting that idea.</P> <P>Ideally, I'd like to provide the list of field values to match in a file.</P> <P>Is there a way?</P> <P>Thanks,</P> <P>Larry</P> Mon, 09 Sep 2013 05:24:35 GMT https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57611#M14048 ltruesda 2013-09-09T05:24:35Z https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57612#M14049 <P>Perhaps you can investigate the inputlookup / outputlookup methods of creating and maintaining a lookup file, e.g.</P> <P><CODE>|inputlookup file | modify stuff | outputlookup file</CODE></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup</A></P> <P><A href="http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/">http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/</A></P> <P>/K</P> Mon, 09 Sep 2013 08:46:00 GMT https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57612#M14049 kristian_kolb 2013-09-09T08:46:00Z https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57613#M14050 <P>Hello, thanks for your suggestion, but as mentioned in my question I have looked into lookups and I believe it would require administrative access to the Splunk server to configure (e.g. edit .conf file and upload lookup file to appropriate folder) and maintain (e.g. replace lookup file when the search terms change) the lookup files. This is something I do not have and cannot get.</P> Mon, 09 Sep 2013 13:03:04 GMT https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57613#M14050 ltruesda 2013-09-09T13:03:04Z https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57614#M14051 <P>You don't need administrative access to the Splunk server to create a lookup. You can use the GUI.<BR /> The instructions are in the Splunk Tutorial <A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/Tutorial/Usefieldlookups">here</A></P> Tue, 17 Sep 2013 10:51:18 GMT https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57614#M14051 lguinn2 2013-09-17T10:51:18Z https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57615#M14052 <P>I confirmed that it is true that you can provision the lookup_file via manager. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>I ended up using "... | lookup lookup_file.csv user_id_field as user | search tag_field = 1" where the lookup_file has two columns, user_id_field and tag_field". And each row contains a userid and a '1'. </P> <P>Works great. Thanks!</P> Mon, 28 Sep 2020 14:49:12 GMT https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57615#M14052 ltruesda 2020-09-28T14:49:12Z https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57616#M14053 <P>splunk tutorial link is broken</P> Thu, 31 Mar 2016 16:11:30 GMT https://community.splunk.com/t5/Splunk-Search/search-field-for-many-values/m-p/57616#M14053 stevenacasey 2016-03-31T16:11:30Z