topic Re: Inputlookup and match only whole word in field text in Splunk Search

Inputlookup and match only whole word in field text

John__Doe — Fri, 08 Sep 2017 07:40:29 GMT

I want to use a keyword list (inputlookup) to find a keyword (whole word only !) in the event text.

Sample Event text (field name is 'data'):

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam pretium urna vel auctor tempus. Integer velit libero, faucibus id ex.

I've imported a csv file containing keywords.

Keyword
adipiscing
faucibus

The inputlookup works fine:

| imputlookup keywords.csv

Searching for just a keyword works fine:

index=lorum adipiscing

Using inputlookup with the csv file doesn't work (no matches):

index=lorum [| imputlookup keywords.csv]

Any help writing my query is highly appreciated.

Re: Inputlookup and match only whole word in field text

gcusello — Fri, 08 Sep 2017 08:03:37 GMT

Hi John__Doe,
you have to modify your subsearch:

your_search [ | inputlookup your_lookup.csv | rename keyword as query | fields query ]

In this way you can use lookup's keywords for a full text search.
Bye.
Giuseppe

Re: Inputlookup and match only whole word in field text

John__Doe — Fri, 08 Sep 2017 08:08:47 GMT

Hi Cusello,

I've tried this:

index=lorum data=*  [ | inputlookup keywords.csv | rename keyword as query | fields query ]

But still no luck

Re: Inputlookup and match only whole word in field text

gcusello — Fri, 08 Sep 2017 08:15:03 GMT

what's the name of the field in lookup? you must use it in rename command.
Bye.
Giuseppe

Re: Inputlookup and match only whole word in field text

John__Doe — Fri, 08 Sep 2017 08:18:35 GMT

The name of the field in 'keywords.csv' is keyword (lower k).

keyword
adipiscing
faucibus

Re: Inputlookup and match only whole word in field text

gcusello — Fri, 08 Sep 2017 08:29:31 GMT

Using this method you can use lookup keywords to run a full text search on all the raw event, data field is in the raw data or not?
if data isn't in _raw field and instead it's only in a differente field and you want to search keywords in this field you must use a different approach
index=lorum data=* [ | inputlookup keywords.csv | eval data=""+keyword+"" | fields data ]
Bye.
Giuseppe

Re: Inputlookup and match only whole word in field text

John__Doe — Fri, 08 Sep 2017 09:49:13 GMT

First example works (needed to change the time span). Apologize for the inconvenience caused

I've an error with the second example:

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side: ((data= "adipiscing") OR (data= "faucibus"))

Re: Inputlookup and match only whole word in field text

gcusello — Fri, 08 Sep 2017 10:01:29 GMT

Sorry: there's an error, I forgot the first asterisk!

index=lorum data= [ | inputlookup keywords.csv | eval data="*"+keyword+"*" | fields data ]

The second solution should be more performant.

Bye.
Giuseppe

Re: Inputlookup and match only whole word in field text

John__Doe — Fri, 08 Sep 2017 10:15:29 GMT

still an error 🙂
Needs to be:

index=lorum data=* [ | inputlookup keywords.csv | eval data="*"+keyword+"*" | fields data ]

This doesn't find only the whole word because of using the asterisk wildcard ( * ). But still a useful example for me.

Re: Inputlookup and match only whole word in field text

gcusello — Fri, 08 Sep 2017 11:29:43 GMT

The best way is to use the first solution.
Bye.
Giuseppe
P.S.: if you're satisfied, please accept answer.

Re: Inputlookup and match only whole word in field text

John__Doe — Fri, 08 Sep 2017 11:32:13 GMT

many thanks and accepted