Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare indexed file with lookup table where lookup table field is substring of indexed file field

rajchi
Explorer
‎03-07-2016 09:34 AM

I want to compare an indexed file with lookup table, where lookup table field is substring of indexed file field

Sample Indexed file:

_time file_name

03/04/16 7:00 ABC.DFG.123
03/04/16 7:00 DEF.DF.A123
03/04/16 7:00 QWE.DFG.ABC.peter
03/04/16 7:00 DBC.D.030416
03/04/16 7:00 QASDFG.123
03/04/16 7:00 ASDDFG.ABC.ZXC.MKL123
03/04/16 7:00 DEF.DF.A123
03/04/16 7:00 QWE.DFG.ABC.peter
03/04/16 7:00 DBC.D.030416
03/04/16 7:00 QASDFG.123
03/04/16 7:00 QASDFG.123
03/04/16 7:00 ASDDFG.ABC.ZXC.MKL123
03/04/16 7:00 DEF.DF.A123
03/04/16 7:00 QWE.DFG.ABC.peter
03/04/16 7:00 DBC.D.030416

Sample Lookup table:

file_name

ABC.DFG
DEF.DF.
QWE.DFG.ABC.
DBC.D
QASDFG
ASDDFG.ABC.ZXC.MKL

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-07-2016 12:18 PM

That would be easy.

Option 1: If you've access to update the lookup table file, update the lookup table to have an asterisk at the end of each value of file_name.
Sample Lookup table:

file_name
ABC.DFG*
DEF.DF.*
QWE.DFG.ABC.*
DBC.D*
QASDFG*
ASDDFG.ABC.ZXC.MKL*

Then run the search like this

index=foo sourcetype=bar [| inputlookup yourlookupname | table file_name]

This will filter to show only the events which file_name matching from lookup.

Option 2: If you can't update the lookup table content, then use this search

  index=foo sourcetype=bar [| inputlookup yourlookupname | table file_name | eval file_name=file_name."*" ]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-07-2016 12:18 PM

That would be easy.

Option 1: If you've access to update the lookup table file, update the lookup table to have an asterisk at the end of each value of file_name.
Sample Lookup table:

file_name
ABC.DFG*
DEF.DF.*
QWE.DFG.ABC.*
DBC.D*
QASDFG*
ASDDFG.ABC.ZXC.MKL*

Then run the search like this

index=foo sourcetype=bar [| inputlookup yourlookupname | table file_name]

This will filter to show only the events which file_name matching from lookup.

Option 2: If you can't update the lookup table content, then use this search

  index=foo sourcetype=bar [| inputlookup yourlookupname | table file_name | eval file_name=file_name."*" ]
Reply
Solved! Jump to solution

rajchi
Explorer
‎03-07-2016 12:40 PM

Thanks for your reply @somesoni2, really appreciate it. Somehow option 2 is not working, I can try option 1 as well but my lookup table have other columns too like "start_time" and "end_time". If indexed field(i.e. file_name) is matching to lookup table field(i.e. file_name) then I have to check whether _time(indexed file field) falls between "start_time" and "end_time"(lookup table field) or not.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-07-2016 01:21 PM

For 2nd option, when you say it's not working, do you get an error OR the filtering is not happening as expected?

You didn't specify your start_time/end_time condition earlier and that makes it complex. For that you would need to create a lookup definition using which you'd be able to do a lookup based on wildcard. (See this https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html). After that you can do like this to apply filters

your base search | lookup yourWildcardLookupDefinition OUTPUT start_time end_time | where isnotnull(start_time) AND _time>start_time AND _time<end_time
0 Karma
Reply
Solved! Jump to solution

rajchi
Explorer
‎03-07-2016 02:51 PM

Thanks a ton, you saved my day 🙂

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-07-2016 10:08 AM

How do you want to compare? Do you want to filter only the events with file_name pattern not present in lookup?

0 Karma
Reply
Solved! Jump to solution

rajkumar10
New Member
‎03-07-2016 10:13 AM

Thanks for your reply, I want to filter events with file_name pattern present in lookup

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...