topic Re: Is there a splunk equivalent for 'grep -f' ? in Splunk Search

Is there a splunk equivalent for 'grep -f' ?

alcm_b — Mon, 19 Aug 2013 13:55:47 GMT

In *NIX, there is a command

grep -f 'long_list_of_regex' 'my_log_file'

, which reads a list of search commands from file. I wonder if there is an equivalent for that in Splunk. Basically - is there a way to perform a search for each of (quite long) list of regex, without making a long search query out of them?

Re: Is there a splunk equivalent for 'grep -f' ?

Ayn — Mon, 19 Aug 2013 15:31:05 GMT

Does it have to be regular expressions or would regular search expressions that can be understood by the search command suffice? If so, you could use subsearches for this. Setup your file with search expressions as a lookup in Splunk, and then read that file into a subsearch. Let's say your lookup is called searchstrings.csv and looks like this:

query
expression1
expression2
expression3
...

Then if you issue a search like this:

* [|inputlookup searchstrings.csv | fields query]

The subsearch will expand into a filter string so the search will look something like this in the end:

* (("expression1") OR ("expression2") OR ("expression3") OR ... )

I imagine this is something similar to what you want to do.

Note that the field "query" that I used in the example lookup is a special field name that makes Splunk output a "raw" filter string in the search. If you call it something else, say, "blah", the subsearch will instead expand to ((blah="expression1") OR ... )

Re: Is there a splunk equivalent for 'grep -f' ?

alcm_b — Mon, 19 Aug 2013 16:52:39 GMT

I want to something similar to 'inputlookup', but with regular expressions.

To be more specific, I have a file with error message templates used by application, and I search for corresponding actual errors in application log files. Regex examples:
File not found: .*
Invalid value '.' is provided for parameter '.'.

Thanks for 'inputlookup' explanation anyway.