Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field Name/Value Pairs - Searching with a Lookup Table

SplunkMonster
Engager
‎08-13-2013 12:24 PM

I'm looking to read in a set of field name/value pairs from a given lookup table (using inputlookup) and then use that as a set of parameters in a search. Specifically, I'm looking to search for "field_name = X" value in a given index and then use that list of field/value pairs as an exclusion list to what I'm searching for. I could also have multiple sets of field/value pairs. So, in other words, in plain english:

Search for FieldName = X in ABC Index
But not if (A=blah AND B=doh AND C=meh) OR (B=meh AND C=blah)
(etc.)

and the A/blah, B/doh, C/meh etc. values would all be field/value pairs in the lookup table that are read in via inputlookup.

So far I've successfully used inputlookup w/csv tables for filtering out/including single values where I pre-define the field name in the search, but I haven't found a good way of doing more complicated logic where the field name is actually being read from a table and you can have multiple groupings. I'd appreciate any feedback/help anyone has to offer. Thanks!

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-13-2013 03:55 PM

You might look at subsearches and use of the "format" search command, sending extra non-default arguments to "format". It may be able to do what you want.

0 Karma
Reply

Ayn
Legend
‎08-13-2013 12:43 PM

Where do you get stuck with using inputlookup? Let's say you have the following lookup:

A,B,C
blah,doh,meh
,meh,blah

This will translate into the filter string you've specified (you can see this for yourself by running "|inputlookup yourlookup | format"):

( ( A="blah" AND B="doh" AND C="meh" ) OR ( B="meh" AND C="blah" ) )

To negate this, just put a NOT before the subsearch. So in conclusion, you'll want something like:

index=ABC FieldName=X NOT [|inputlookup yourlookup]
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...