Splunk Enterprise Security

Is there a way to modify an inputlookup subsearch from an implied equals operator to an "IN" operator?

cogden
Engager

I have a subsearch doing "| inputlookup" against a CSV... the implied operator is equals. "Column/Field = Cell Value" ... is anybody aware of a way to overload or modify that operator from equals to IN. For example, if my cell value is a comma-separated list value1,value2 I dont want the search to be field="value1,value2" I would want the search to be field IN (value1,value2)

Example search:
|tstats count WHERE [inputlookup test.csv]

Example: test.csv:
mycolumn
value1,value2

Desired expanded search:
|tstats count WHERE mycolumn IN (value1,value2)

Actual expanded search:
| tstats count WHERE mycolumn="value1,value2"

0 Karma

woodcock
Esteemed Legend

Use this macro:

[convert_search_from_ORs_to_IN]
definition = rename COMMENT AS "EXTREME WARNING!!! THIS IS ONLY VALID IF YOU ARE USING A SINGLE FIELD!!!!"\
| rex field=search mode=sed "s/^\(\s*\(\s*// s/\s*\)\s*\)$/)/ s/=/ IN(/ s/\s*\)\s*OR\s*\([^=]+=/,/g"
errormsg = Description: Author=Gregg Woodcock; this is necessary because if the number of characters in a search string is too great, the search may fail; this conversion saves ~50%!
iseval = 0

Then, any place where you are doing something like this:

index=foo [|inputlookup tableOfHosts | table host]

Change it to this:

index=foo [|inputlookup tableOfHosts | table host | `convert_search_from_ORs_to_IN`]
0 Karma

cogden
Engager

SOLVED INTERNALLY:

Adding to the subsearch an eval split based on comma followed by an mvexpand accomplishes a similar result:

Example:

|tstats count WHERE [ | inputlookup test.csv | eval mycolumn = split(mycolumn,",") | mvexpand mycolumn ]

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...