All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search help against lookup values

mcbradford
Contributor
‎09-18-2012 08:55 AM

eventtype=bluecoat [| inputlookup wfap_lookup | where wfap_priority=2 | fields wfap_indicator | rename wfap_indicator as search| format "" "(" "OR" ")" "OR" ""] user="test"

The lookup will contain values such as:

string priority

car 0
"red car" 2
"blue car" 1
red 3

The problem I am having is with the multi-string values. For example, if I am looking for "red car", the search above will find within an event red and car, but not always as the string "red car". The event might have someting like, "Red is a nice color. A fast car is fun to drive".

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎09-18-2012 11:25 AM

I would agree with Ayn, but when I ran it, the search didn't have the quotes around "red car". I added this: | eval search = "\"" .search."\"" | before the format and it returned with the quoted "red car", which will search for "red car" and not "red AND car".

0 Karma
Reply

Ayn
Legend
‎09-18-2012 09:03 AM

You can check exactly what the subsearch will return by just running it on its own, including the format at the end. I just tried recreating your scenario and get the search string ( "red car" ) OR ( "blue car" ). If you're getting the same string, I don't see why Splunk would behave like you describe. It should match the whole string, not inidividual words.

Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...