topic Re: Lookup file question in Splunk Search

Lookup file question

yooitsgreg — Thu, 16 Jun 2022 13:52:56 GMT

I am wanting to use a lookup file to drive search for an alert. This seems a bit unique as I am not wanting to use event data from results to drive the lookup, but rather have all the lookup entries dynamically added to the search itself. Below is the example use-case:

CSV file example:
Index, ErrorKey
"index1","Error string 1"
"index1","Error string 2"
"index2","Error string 3"

Looking to use it to scale a search like this:

index=index1 OR index=index 2 ("Error string 1" OR "Error string 2" OR "Error string 3")

Basically the index/error string combo could be managed in the csv file as opposed to the alert search itself. Making it easier to add/scale/maintain the search criteria. Is this possible?

Re: Lookup file question

ITWhisperer — Thu, 16 Jun 2022 14:20:08 GMT

It is not clear what your requirement is - from

Index, ErrorKey
"index1","Error string 1"
"index1","Error string 2"
"index2","Error string 3"

do you want

(index=index1 AND ErrorKey="Error string 1") OR (index=index1 AND ErrorKey="Error string 2") OR (index=index2 AND ErrorKey="Error string 3") - three combinations

(index=index1 AND ErrorKey="Error string 1") OR (index=index1 AND ErrorKey="Error string 2") OR (index=index1 AND ErrorKey="Error string 3") OR (index=index2 AND ErrorKey="Error string 1") OR (index=index2 AND ErrorKey="Error string 2") OR (index=index2 AND ErrorKey="Error string 3") - six combinations

The first version maintains the combinations from the csv file, whereas the second version is closer to your "expanded" search

Also, instead of searching for the ErrorKey field in your events being equal to the string from the csv file, do you want to search for the string anywhere in the raw event (as your expanded search seems to suggest)?

Re: Lookup file question

yooitsgreg — Thu, 16 Jun 2022 14:25:44 GMT

Sorry for the confusion. Option 1 I believe is what I am looking for with the 3 combinations:

(index=index1 AND ErrorKey="Error string 1") OR (index=index1 AND ErrorKey="Error string 2") OR (index=index2 AND ErrorKey="Error string 3")

I am wanting to search for the string anywhere in the raw event. ErrorKey is not a field value in the events and not possible to create this field as the error string in the result data is not standardized.

Thank you for your reply

Re: Lookup file question

ITWhisperer — Thu, 16 Jun 2022 15:09:17 GMT

Try something like this

You may need to remove some double quotes