Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter based on a list

Craigrow
Explorer
‎11-11-2013 09:51 AM

I have a list of about 400 object GUIDs. I want to filter a log file so that I see only the entries with one of those GUIDs. Is there a way I can do this in Splunk?

Thanks for the help.

Tags (1)
0 Karma
Reply

Craigrow
Explorer
‎11-11-2013 11:07 AM

That seems to work. Thanks!

Unfortunately the log file has multiple entries for each object. I only care aobout one for each object. I can filter by date to find it but it's a different date for each one. Can I do something like this?

[myevent]
search = (04640321-0000-0000-0000-008cfa1f7f0c AND 10/4/2013) OR (04640321-0000-0000-0000-008cfa1f7f0c and 10/5/2013) OR...

0 Karma
Reply

somesoni2
Revered Legend
‎11-11-2013 10:15 AM

If you have that list as an external file (csv), lookups are the best solution. one you have it as lookup table in Splunk, you can use use "lookup" command to match your GUIDs or can use "inputlookup" command within the main search(provided a field exists with same name) or using join.

0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-11-2013 10:03 AM

You could create a lookup file if this list will be somewhat dynamic. Then you would have to match against the lookup table output. I don't recommend this approach unless the list will change because it is more complicated than another, easier approach.

You could create a rather long eventtype to capture those GUIDs. Then your search simple looks like (assuming you name the event type "myguidlist"):

eventtype=myguidlist

You can prepend or append any other search terms and it will only have those GUIDs from your eventtype list.

--
Jesse Trucks
Minister of Magic
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-11-2013 03:44 PM

Yes, you can, and don't forget to mark it as an accepted answer!

--
Jesse Trucks
Minister of Magic
Reply

Craigrow
Explorer
‎11-11-2013 11:07 AM

That seems to work. Thanks!

Unfortunately the log file has multiple entries for each object. I only care about one for each object. I can filter by date to find it but it's a different date for each one. Can I do something like this?

[myevent]
search = (04640321-0000-0000-0000-008cfa1f7f0c AND 10/4/2013) OR (04640321-0000-0000-0000-008cfa1f7f0c and 10/5/2013) OR...

0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-11-2013 10:24 AM

Yup! just set it up like that.

--
Jesse Trucks
Minister of Magic
0 Karma
Reply

Craigrow
Explorer
‎11-11-2013 10:18 AM

Thanks jtrucks.

It is a one-off proof-of-concept so I'm inclined to take the easier approach. So the eventtypes.conf would looks something like this?

[myevent]
search = 04640321-0000-0000-0000-008cfa1f7f0c OR 04640321-0000-0000-0000-008cfa1f7f0c OR...

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...