topic Re: Matching arbitrary fields in inputlookup in Splunk Search

What is the best way to match arbitrary fields in inputlookup

yuanliu — Mon, 28 Feb 2022 14:50:13 GMT

With events, I can do

| search index=foo *bar*

This will match any event containing the string "bar" regardless where it appears. But with |inputlookup, this will not work.

I can work around it using foreacch. But it looks rather labored.

| inputlookup mylookup | foreach * [| search <<FIELD>>=*bar*]

Is this the best way?

Re: Matching arbitrary fields in inputlookup

m_pham — Sat, 26 Feb 2022 03:31:30 GMT

You just do this:

| inputlookup my_lookup | search field=*value*

Re: Matching arbitrary fields in inputlookup

gcusello — Sat, 26 Feb 2022 07:10:55 GMT

Hi @yuanliu,

it runs on indexes because you have the _raw field and when you run a full text search it's the same thing that you run "_raw=*bar*", but in a lookup you don't have the _raw so it doesn't run.

If you want to search a word in all the fields of your lookup, you have to recreate the _raw:

| inputlookup mylookup | eval _raw=field 1." ".field2." ".field3." ".field4 | search _raw="*bar*"

maybe it's easier to use a summary index instead of a lookup.

Ciao.

Giuseppe

Re: Matching arbitrary fields in inputlookup

yuanliu — Sat, 26 Feb 2022 18:28:09 GMT

Thanks for the suggestion! My lookup changes so infrequently (and is not super large) that it is perhaps not worth the summary. But it is definitely a path for more intense use cases.

Re: Matching arbitrary fields in inputlookup

yuanliu — Sat, 26 Feb 2022 18:37:56 GMT

@m_pham Yes, I can search any individual field. Usually lookups would not contain freehand text in more than one field. This peculiar one has several freehand fields that I want to give a lazy search option.

The foreach method in my OP does the job. But it feels silly to use heavy artillery for what looks really simple when _raw exists.