topic Re: How to extract a field value to use as a search term for filtering? in Splunk Search

How to extract a field value to use as a search term for filtering?

pewaubek_reid — Tue, 29 Sep 2020 12:04:44 GMT

Hello,

I need a way to extract/convert a field value to a search condition.

Example:

field_value= "src_ip=192.168.1.1 AND user=Disco"
Search: mysearch NOT 'field_value' ---> which should translate to ---> mysearch NOT (src_ip=192.168.1.1 AND user=Disco)

I know the single quotes don't work. I am wondering if there is any function that helps.

Thanks!

Re: How to extract a field value to use as a search term for filtering?

somesoni2 — Tue, 29 Sep 2020 12:07:04 GMT

Is the values of "field_value" always similar, means your search condition is always on same fields src_ip and user?

Re: How to extract a field value to use as a search term for filtering?

pewaubek_reid — Tue, 13 Dec 2016 22:33:20 GMT

No. It would be dynamic and could be any combination of field=values.

Re: How to extract a field value to use as a search term for filtering?

nabeel652 — Tue, 29 Sep 2020 12:04:47 GMT

yoursearch | eval field_value="some value or and expression" | where another_field != $field_value$

Re: How to extract a field value to use as a search term for filtering?

pewaubek_reid — Tue, 29 Sep 2020 12:05:09 GMT

The problem with this is that it is still comparing fields and their respective values. The value(s) of 'field_value' can be any combination of field=value and would be dynamic, therefore defining a new field_value using eval wouldn't be efficient as I'd have to account for every possible field=value combination. I think the optimal situation here is to be able to "break out" 'field_value' and insert it into the search string. I would imagine a token + subsearch would work but I can't find a way to use a token inline in a search.

Re: How to extract a field value to use as a search term for filtering?

somesoni2 — Wed, 14 Dec 2016 16:23:37 GMT

I may have a workaround if the condition is always in format "field1=value1 AND field2=value2....". Is that the case (all conditions are conjoined by 'AND')?

Re: How to extract a field value to use as a search term for filtering?

pewaubek_reid — Wed, 14 Dec 2016 16:40:05 GMT

The condition can be in any combination of field=value so just "field1=value1" or "field1=value1 AND field2=value2 OR field3=value3"... The fields and values would exist independently in the base search, but not the new field containing the field=value pairs/combinations. That's why I'm trying to find a way to change the field=value pairs/combinations from a field value into a search condition/string. Thanks for your attention, any ideas are welcome.

Re: How to extract a field value to use as a search term for filtering?

somesoni2 — Wed, 14 Dec 2016 17:06:32 GMT

The field which contains the search condition is available in the raw data of base search(es) itself?

Re: How to extract a field value to use as a search term for filtering?

pewaubek_reid — Wed, 14 Dec 2016 17:16:44 GMT

Nope, the new field which I am populating with the dynamic field=value combinations doesn't exist in the raw data. The individual fields & values would exist which is why I need to insert them into the search query. I don't think that would matter anyway as I'm not trying to match field values, I'm trying to insert field=values combinations into search string.

Re: How to extract a field value to use as a search term for filtering?

somesoni2 — Wed, 14 Dec 2016 17:24:50 GMT

How are you populating the field which contains the search condition?
It wouldn't have helped if it was part of raw data, but if you're using a lookup OR something get that, there might be a way.

Re: How to extract a field value to use as a search term for filtering?

pewaubek_reid — Wed, 14 Dec 2016 17:31:40 GMT

Gotcha. I am using a lookup. The field_value will be dynamically populated with various field=value combinations.

Re: How to extract a field value to use as a search term for filtering?

somesoni2 — Wed, 14 Dec 2016 19:31:59 GMT

Would you mind providing your search, which includes the lookup command?

Re: How to extract a field value to use as a search term for filtering?

pewaubek_reid — Tue, 29 Sep 2020 12:07:58 GMT

I have a search that doesn't work. Open to ideas...

some_events some_sourcetype NOT [|inputlookup some_lookup.csv]

Re: How to extract a field value to use as a search term for filtering?

somesoni2 — Wed, 14 Dec 2016 21:24:36 GMT

Try something like this

some_events some_sourcetype NOT [|inputlookup some_lookup.csv | eval search=field_that_contains_conditions | table search ]

Re: How to extract a field value to use as a search term for filtering?

pewaubek_reid — Tue, 29 Sep 2020 12:08:00 GMT

I received an email alert for another comment here but it isn't showing up. Here it is quoted;

"Try something like this

some_events some_sourcetype NOT [|inputlookup some_lookup.csv | eval search=field_that_contains_conditions | table search ]"

I believe this is just renaming my field in the lookup table to 'search' not actually creating search conditions from the field value. I couldn't find an eval function called "search".