topic Re: What can I use if I need to check for multiple values of a field in my search in Splunk Search

What can I use if I need to check for multiple values of a field in my search

ayushdimri — Wed, 02 Aug 2017 19:39:45 GMT

I have a simple query like below, where I am looking for tickets created by a group of people and then passing it to a chart for visualization.

sourcetype=incident (openedBy="user1" OR openedBy="user2" OR openedBy="user3" OR openedBy="user4" OR openedBy="user5" OR openedBy="user6" OR openedBy="user7") | chart count over assignmentGroup by status

I would like to know if I can use some feature in splunk where I can store the complete openedBy part of the query and call it in my search.

Please help..

Re: What can I use if I need to check for multiple values of a field in my search

DalJeanis — Wed, 02 Aug 2017 23:00:43 GMT

1) Put it in a csv file

|makeresults 
| eval OpenedBy="user1 user2 user3 user4 user5 user6 user7" 
| makemv OpenedBy 
| mvexpand OpenedBy
| table OpenedBy
| outputcsv myOpenedByList.csv

2) Read in the csv file inside of braces

 sourcetype=incident [ | inputcsv myOpenedByList.csv | table OpenedBy]
| chart count over assignmentGroup by status

Because of the braces, the implicit format command will convert the values to read...

 (openedBy="user1" OR openedBy="user2" OR openedBy="user3" OR 
  openedBy="user4" OR openedBy="user5" OR openedBy="user6" OR 
  openedBy="user7")

3) To see how that implicit format command works, you can do it explicitly ...

  | inputcsv myOpenedByList.csv | table OpenedBy | format

...or, just for fun, even like this ...

  | inputcsv myOpenedByList.csv | table OpenedBy | format "(" "squiggle" "squaggle" "argle" "bargle" ")"

Re: What can I use if I need to check for multiple values of a field in my search

ayushdimri — Thu, 03 Aug 2017 14:10:52 GMT

Thank You for the reply...!

Looks like I am missing something here... Below is what I did as per the answer posted. Let me know if am missing something.

Created a file - 'myopenedByList.csv' and added the below comment in the file.
Added this file as a "Lookup table files"
Added "Lookup definition" for the above file.
Performed the query as per the direction below using "inputcsv"

But am getting "No results" as the return. I know there are results to return, because when I do the standard search using "openedBy=user1" am getting the result.

Please suggest if I am missing something here.

Thanks again for your time..!!

Re: What can I use if I need to check for multiple values of a field in my search

somesoni2 — Thu, 03 Aug 2017 14:27:15 GMT

Does the column name in myopenedByList.csv is openedBy? Do the values match exactly (no extra space before or after)?

Another option would be (in case list of openedBy user list is small) to create search macro to store your OR clause.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Knowledge/Definesearchmacros
Macro name: openedByFilter
Macro definition: (openedBy="user1" OR openedBy="user2" OR openedBy="user3" OR openedBy="user4" OR openedBy="user5" OR openedBy="user6" OR openedBy="user7")

Updated search:

sourcetype=incident `openedByFilter` | chart count over assignmentGroup by status

Re: What can I use if I need to check for multiple values of a field in my search

ayushdimri — Thu, 03 Aug 2017 14:47:27 GMT

Thank You somesonei2

Tried macro and it worked.!!

Regarding the inputcsv approach, I do not have any column in the csv file. As suggested in the answer, I created the .csv file as below.

Re: What can I use if I need to check for multiple values of a field in my search

ayushdimri — Thu, 03 Aug 2017 14:48:36 GMT

Macro approach suggested by somesoni2 worked for me.

Re: What can I use if I need to check for multiple values of a field in my search

somesoni2 — Thu, 03 Aug 2017 15:02:35 GMT

If you used the above query to generate the lookukp, it should've a column name openedBy. Try running following and paste the result with header here.

| inputlookup LookupDefinitionYouCreated

Re: What can I use if I need to check for multiple values of a field in my search

richgalloway — Thu, 03 Aug 2017 15:24:02 GMT

I've moved somesoni2's comment to answer. Please accept it if your problem is solved.

Re: What can I use if I need to check for multiple values of a field in my search

ayushdimri — Thu, 03 Aug 2017 17:06:05 GMT

|makeresults↕

This is the result am getting.. The first row is showing up as column.

Re: What can I use if I need to check for multiple values of a field in my search

ayushdimri — Thu, 03 Aug 2017 17:06:33 GMT

Sorry I meant first row is showing up as header.. 😞