Splunk Search

i have 40 use cases to evaluate status or incidents in a log file? What programming approch should i follow, how can i use CASE statement here?

alfiyashaikh
New Member

I have 40 usecases.
I have 800+ incidents in incident log file
Every inicident should be evaluated by these 40 usecases, and relative feedback should be added to the report .
1 incident can have 1 or more than 1 feedback depending on how many usecases turn out to be true.

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi alfiyashaikh,
use a lookup to manage all your patterns to search:
if you have to search a value in a field, use this

your_search [ | inputlookup my_patterns.csv | table field ]
| ...

field name must be the same in search.

If instead you have to search a pattern in full text search, use this

your_search [ | inputlookup my_patterns.csv | rename field AS query | table query ]
| ...

I have a lookup with all the patterns to search typed by sourcetype, so I can use all patterns or only the ones with a specific sourcetype

your_search [ | inputlookup my_patterns.csv | search sourcetype=my_sourcetype | rename field AS query | table query ]
| ...

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi alfiyashaikh,
use a lookup to manage all your patterns to search:
if you have to search a value in a field, use this

your_search [ | inputlookup my_patterns.csv | table field ]
| ...

field name must be the same in search.

If instead you have to search a pattern in full text search, use this

your_search [ | inputlookup my_patterns.csv | rename field AS query | table query ]
| ...

I have a lookup with all the patterns to search typed by sourcetype, so I can use all patterns or only the ones with a specific sourcetype

your_search [ | inputlookup my_patterns.csv | search sourcetype=my_sourcetype | rename field AS query | table query ]
| ...

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...