Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field Name/Value Pairs - Searching with a Lookup Table

SplunkMonster
Engager
‎08-13-2013 12:24 PM

I'm looking to read in a set of field name/value pairs from a given lookup table (using inputlookup) and then use that as a set of parameters in a search. Specifically, I'm looking to search for "field_name = X" value in a given index and then use that list of field/value pairs as an exclusion list to what I'm searching for. I could also have multiple sets of field/value pairs. So, in other words, in plain english:

Search for FieldName = X in ABC Index
But not if (A=blah AND B=doh AND C=meh) OR (B=meh AND C=blah)
(etc.)

and the A/blah, B/doh, C/meh etc. values would all be field/value pairs in the lookup table that are read in via inputlookup.

So far I've successfully used inputlookup w/csv tables for filtering out/including single values where I pre-define the field name in the search, but I haven't found a good way of doing more complicated logic where the field name is actually being read from a table and you can have multiple groupings. I'd appreciate any feedback/help anyone has to offer. Thanks!

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-13-2013 03:55 PM

You might look at subsearches and use of the "format" search command, sending extra non-default arguments to "format". It may be able to do what you want.

0 Karma
Reply

Ayn
Legend
‎08-13-2013 12:43 PM

Where do you get stuck with using inputlookup? Let's say you have the following lookup:

A,B,C
blah,doh,meh
,meh,blah

This will translate into the filter string you've specified (you can see this for yourself by running "|inputlookup yourlookup | format"):

( ( A="blah" AND B="doh" AND C="meh" ) OR ( B="meh" AND C="blah" ) )

To negate this, just put a NOT before the subsearch. So in conclusion, you'll want something like:

index=ABC FieldName=X NOT [|inputlookup yourlookup]
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...