Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can eval if match be used with inputlookup?

chrisfrigo
Path Finder
‎01-27-2015 05:51 PM

So what I'm trying trying to achieve is searching a field for contained in a CSV file, not an exact match. I can do this with single word using

| eval catch=if(match(field123,"contain-word"),"matches","other") | search catch=matches

but wondering if there's some way of using inputlookups or if anyone can recommend another way to search a field containing with a input file. This is what I have tried.

| eval catch=if(match(field123,"[| inputlookup input-file]"),"matches","other") | search catch=matches

Tags (2)
Reply

Raghav2384
Motivator
‎01-27-2015 06:10 PM

Try this logic...

...base search [|inputlookup xyz.csv|eval Catch = if(match(field1,"matching term"),"match","other")|where Catch = "match"|fields Field_i_need_from_lookup]

So basically, you are applying the match function on lookup first and retrieving needed field where Catch = Match and passing it to the parent search.

Hope this helps.

Thanks,
Raghav

0 Karma
Reply

chrisfrigo
Path Finder
‎01-27-2015 07:10 PM

hmmm... the matching terms are the text contained in the CSV so not sure this will work.

0 Karma
Reply

chrisfrigo
Path Finder
‎01-27-2015 07:12 PM

I'm trying to search words contained in a CSV file in a particular field, hence why I was trying to use inputlookup in the match criteria.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...