Solved: Quick and Dirty Keyword Search

stakor · ‎03-31-2017

I know that this can be done with a lookup, but I was wondering if there was a quick and dirty way to search through web traffic for like three keywords. For example:

bad1
bad2
bad3

I would like to break the keywords into counts. Normally you would do count by fieldName.

Is there a way to do this in SPL, and not have to create a lookup table for each time you go hunting for something? This would probably be used once or twice per set of keywords - that is why I am not trying to do a saved lookup.

somesoni2 · ‎03-31-2017

Try something like this

your base search bad1 OR bad2 OR bad3 
| eval keyword=case(searchmatch("bad1"),"bad1",searchmatch("bad2"),"bad2",searchmatch("bad3"),"bad3")
| stats count by keyword

OR

your base search bad1 OR bad2 OR bad3 
| rex max_match=0 "(?<keyword>(bad1|bad2|bad3)"
| stats count by keyword

View solution in original post

somesoni2 · ‎03-31-2017

Try something like this

your base search bad1 OR bad2 OR bad3 
| eval keyword=case(searchmatch("bad1"),"bad1",searchmatch("bad2"),"bad2",searchmatch("bad3"),"bad3")
| stats count by keyword

OR

your base search bad1 OR bad2 OR bad3 
| rex max_match=0 "(?<keyword>(bad1|bad2|bad3)"
| stats count by keyword

Quick and Dirty Keyword Search

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Quick and Dirty Keyword Search

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey