https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133052#M36338 <P>Configuration of the Lookup table files and Lookup definitions are required. </P> <P><SEARCH><BR /> .....|join ExtraInfo[ | inputlookup lookup_tbl]|table Keyword,Count<BR /> <LOOKUP_TBL><BR /> ExtraInfo,Keyword<BR /> "User-Gmail-GoogleChrome","Gmail"<BR /> "User-Gmail-GoogleChromeXXX","Gmail"<BR /> "User-Gmail-GoogleChromeYYY","Gmail"<BR /> "Inbox-Yahoo! Mail","Yahoo! Mail"<BR /> "Inbox-Yahoo! MailXXX","Yahoo! Mail"<BR /> "Inbox-Yahoo! MailYYY","Yahoo! Mail"</LOOKUP_TBL></SEARCH></P> Mon, 28 Sep 2020 15:46:56 GMT HiroshiSatoh 2020-09-28T15:46:56Z https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133051#M36337 <P>Hi Guys,</P> <P>I have a requirement like this. In a search I am getting a field like<BR /> ExtraInfo Count<BR /> User-Gmail-GoogleChrome 6<BR /> Inbox-Yahoo! Mail 3<BR /> .....</P> <P>In another I have keywords like Gmail,Yahoo! Mail,...etc.</P> <P>I want to write a query which gives me the output like this.</P> <P>Keyword Count<BR /> Gmail 6<BR /> Yahoo! Mail 3</P> <P>Could you please help me in this regard?</P> Fri, 31 Jan 2014 01:47:55 GMT https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133051#M36337 tirusplunk 2014-01-31T01:47:55Z https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133052#M36338 <P>Configuration of the Lookup table files and Lookup definitions are required. </P> <P><SEARCH><BR /> .....|join ExtraInfo[ | inputlookup lookup_tbl]|table Keyword,Count<BR /> <LOOKUP_TBL><BR /> ExtraInfo,Keyword<BR /> "User-Gmail-GoogleChrome","Gmail"<BR /> "User-Gmail-GoogleChromeXXX","Gmail"<BR /> "User-Gmail-GoogleChromeYYY","Gmail"<BR /> "Inbox-Yahoo! Mail","Yahoo! Mail"<BR /> "Inbox-Yahoo! MailXXX","Yahoo! Mail"<BR /> "Inbox-Yahoo! MailYYY","Yahoo! Mail"</LOOKUP_TBL></SEARCH></P> Mon, 28 Sep 2020 15:46:56 GMT https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133052#M36338 HiroshiSatoh 2020-09-28T15:46:56Z https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133053#M36339 <P>Can I place only keywords in lookup table instead of both ExtraInfo and Keyword?</P> Fri, 31 Jan 2014 03:29:01 GMT https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133053#M36339 tirusplunk 2014-01-31T03:29:01Z https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133054#M36340 <P><SOURCE>ExtraInfo!=ExtraInfo|eval X=case(ExtraInfo LIKE "%Gmail%","Gmail",ExtraInfo LIKE "%Outlook Web App%","Outlook Web App",ExtraInfo LIKE "%Yahoo! Mail%","Yahoo! Mail")</SOURCE></P> <P>I could think of this. But can I manage this big case statement(this case statement may grow) like an event-type or something else in my splunk?</P> Fri, 31 Jan 2014 05:36:11 GMT https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133054#M36340 tirusplunk 2014-01-31T05:36:11Z https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133055#M36341 <P>Custom field cannot be edited without a LOOKUP?<BR /> <EX><BR /> ....|rex field=ExtraInfo "-(?<KEYWORD>.*)$"|table Keyword</KEYWORD></EX></P> <P><KEYWORD><BR /> Gmail-GoogleChrome<BR /> Yahoo! Mail</KEYWORD></P> Fri, 31 Jan 2014 07:08:39 GMT https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133055#M36341 HiroshiSatoh 2014-01-31T07:08:39Z https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133056#M36342 <P>Try this</P> <PRE><CODE>&lt;first search giving fields ExtraInfo,Count&gt; | fields ExtraInfo, Count | eval joinfield=1 | join type=left max=0 joinfield [search &lt;second search giving fields Keyword&gt; | fields Keyword | eval joinfield=1] | eval shouldInclude=if(like(ExtraInfo,"%".Keyword."%"),"Yes","No") | where shouldInclude="Yes" | fields Keyword, Count </CODE></PRE> Fri, 31 Jan 2014 17:32:08 GMT https://community.splunk.com/t5/Splunk-Search/Detecting-keywords-from-another-search-in-a-field-from-other/m-p/133056#M36342 somesoni2 2014-01-31T17:32:08Z