Getting Data In

Filter based on a list

Explorer

I have a list of about 400 object GUIDs. I want to filter a log file so that I see only the entries with one of those GUIDs. Is there a way I can do this in Splunk?

Thanks for the help.

Tags (1)
0 Karma

Explorer

That seems to work. Thanks!

Unfortunately the log file has multiple entries for each object. I only care aobout one for each object. I can filter by date to find it but it's a different date for each one. Can I do something like this?

[myevent]
search = (04640321-0000-0000-0000-008cfa1f7f0c AND 10/4/2013) OR (04640321-0000-0000-0000-008cfa1f7f0c and 10/5/2013) OR...

0 Karma

SplunkTrust
SplunkTrust

If you have that list as an external file (csv), lookups are the best solution. one you have it as lookup table in Splunk, you can use use "lookup" command to match your GUIDs or can use "inputlookup" command within the main search(provided a field exists with same name) or using join.

0 Karma

Splunk Employee
Splunk Employee

You could create a lookup file if this list will be somewhat dynamic. Then you would have to match against the lookup table output. I don't recommend this approach unless the list will change because it is more complicated than another, easier approach.

You could create a rather long eventtype to capture those GUIDs. Then your search simple looks like (assuming you name the event type "myguidlist"):

eventtype=myguidlist

You can prepend or append any other search terms and it will only have those GUIDs from your eventtype list.

Splunk Employee
Splunk Employee

Yes, you can, and don't forget to mark it as an accepted answer!

Explorer

That seems to work. Thanks!

Unfortunately the log file has multiple entries for each object. I only care about one for each object. I can filter by date to find it but it's a different date for each one. Can I do something like this?

[myevent]
search = (04640321-0000-0000-0000-008cfa1f7f0c AND 10/4/2013) OR (04640321-0000-0000-0000-008cfa1f7f0c and 10/5/2013) OR...

0 Karma

Splunk Employee
Splunk Employee

Yup! just set it up like that.

0 Karma

Explorer

Thanks jtrucks.

It is a one-off proof-of-concept so I'm inclined to take the easier approach. So the eventtypes.conf would looks something like this?

[myevent]
search = 04640321-0000-0000-0000-008cfa1f7f0c OR 04640321-0000-0000-0000-008cfa1f7f0c OR...

0 Karma