- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkerer
Path Finder
06-06-2021
12:41 AM
I am providing data from one input in the dashboard, and want to search provided input strings in different fields which may include provided inputs. all the fields can contain same data format if they are not empty.
I am using the following search, but not working.
Note: provided input can be single values as well.
Expected result:
index=hashstore
a.hash="aaaaaaaaa" OR a.hash="bbbbbbbbbb" OR a.hash="ccccccccccc"
OR
b.hash="aaaaaaaaa" OR b.hash="bbbbbbbbbb" OR b.hash="ccccccccccc"
OR
c.hash="aaaaaaaaa" OR c.hash="bbbbbbbbbb" OR c.hash="ccccccccccc"
OR
d.hash="aaaaaaaaa" OR d.hash="bbbbbbbbbb" OR d.hash="ccccccccccc"
CURRENT SEARCH -- not giving the expected result.
index=hashstore
[| makeresults
| rename a.hash{} as hash
| eval a.hash="aaaaaaaaa,bbbbbbbbbb,ccccccccccc"
| eval a.hash=split(a.hash,",")
| mvexpand a.hash
| append
[| makeresults
| rename b.hash{} as b.hash
| eval b.hash="aaaaaaaaa,bbbbbbbbbb,ccccccccccc" | eval b.hash=split(b.hash,",")
| mvexpand b.hash
]
| append
[| makeresults
| rename c.hash{} as c.hash
| eval c.hash ="aaaaaaaaa,bbbbbbbbbb,ccccccccccc" | eval c.hash =split(c.hash ,",")
| mvexpand c.hash
]
| append
[| makeresults
| rename d.hash{} as d.hash
| eval d.hash="aaaaaaaaa,bbbbbbbbbb,ccccccccccc" | eval d.hash=split(d.hash,",")
| mvexpand d.hash
]
| table a.hash, b.hash, c.hash, d.hash
]
Thanks,
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-06-2021
01:09 AM
Since
index=hashstore
a.hash="aaaaaaaaa" OR a.hash="bbbbbbbbbb" OR a.hash="ccccccccccc"
OR
b.hash="aaaaaaaaa" OR b.hash="bbbbbbbbbb" OR b.hash="ccccccccccc"
OR
c.hash="aaaaaaaaa" OR c.hash="bbbbbbbbbb" OR c.hash="ccccccccccc"
OR
d.hash="aaaaaaaaa" OR d.hash="bbbbbbbbbb" OR d.hash="ccccccccccc"can be written as
index=hashstore
a.hash="aaaaaaaaa" OR
a.hash="bbbbbbbbbb" OR
a.hash="ccccccccccc" OR
b.hash="aaaaaaaaa" OR
b.hash="bbbbbbbbbb" OR
b.hash="ccccccccccc" OR
c.hash="aaaaaaaaa" OR
c.hash="bbbbbbbbbb" OR
c.hash="ccccccccccc" OR
d.hash="aaaaaaaaa" OR
d.hash="bbbbbbbbbb" OR
d.hash="ccccccccccc"your search can be something like
index=hashstore
[| makeresults
| eval hash=split("abcd","")
| mvexpand hash
| eval hash=hash.".hash"
| eval value=split("aaaaaaaaa,bbbbbbbbbb,ccccccccccc",",")
| mvexpand value
| eval {hash}=value
| fields - _time hash value]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-06-2021
01:09 AM
Since
index=hashstore
a.hash="aaaaaaaaa" OR a.hash="bbbbbbbbbb" OR a.hash="ccccccccccc"
OR
b.hash="aaaaaaaaa" OR b.hash="bbbbbbbbbb" OR b.hash="ccccccccccc"
OR
c.hash="aaaaaaaaa" OR c.hash="bbbbbbbbbb" OR c.hash="ccccccccccc"
OR
d.hash="aaaaaaaaa" OR d.hash="bbbbbbbbbb" OR d.hash="ccccccccccc"can be written as
index=hashstore
a.hash="aaaaaaaaa" OR
a.hash="bbbbbbbbbb" OR
a.hash="ccccccccccc" OR
b.hash="aaaaaaaaa" OR
b.hash="bbbbbbbbbb" OR
b.hash="ccccccccccc" OR
c.hash="aaaaaaaaa" OR
c.hash="bbbbbbbbbb" OR
c.hash="ccccccccccc" OR
d.hash="aaaaaaaaa" OR
d.hash="bbbbbbbbbb" OR
d.hash="ccccccccccc"your search can be something like
index=hashstore
[| makeresults
| eval hash=split("abcd","")
| mvexpand hash
| eval hash=hash.".hash"
| eval value=split("aaaaaaaaa,bbbbbbbbbb,ccccccccccc",",")
| mvexpand value
| eval {hash}=value
| fields - _time hash value]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkerer
Path Finder
06-06-2021
07:22 AM
Thanks for solution, this is working fine, but the issue is my original field names are ending with {}. I forget to mention it, original search should be like below.
How can I get this result?
index=hashstore
a.hash{}="aaaaaaaaa" OR
a.hash{}="bbbbbbbbbb" OR
a.hash{}="ccccccccccc" OR
b.hash{}="aaaaaaaaa" OR
b.hash{}="bbbbbbbbbb" OR
b.hash{}="ccccccccccc" OR
c.hash{}="aaaaaaaaa" OR
c.hash{}="bbbbbbbbbb" OR
c.hash{}="ccccccccccc" OR
d.hash{}="aaaaaaaaa" OR
d.hash{}="bbbbbbbbbb" OR
d.hash{}="ccccccccccc"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-06-2021
08:18 AM
index=hashstore
[| makeresults
| eval hash=split("abcd","")
| mvexpand hash
| eval hash=hash.".hash"
| eval value=split("aaaaaaaaa,bbbbbbbbbb,ccccccccccc",",")
| mvexpand value
| eval {hash}=value
| fields - _time hash value
| rename * as *{}]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkerer
Path Finder
06-07-2021
09:30 AM
Thanks @ITWhisperer you are the best!
