- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Create search query where events match lookup ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create search query where events match lookup table 'fieldA' column (all have values) but exclude events that do not have a value in 'fieldB' column.
Example Lookup Table entries:
fieldA fieldB
value value
value 'blank'
value value
Show events where 'fieldA' matches but exclude events where 'fieldB' is blank, within the lookup table. 'fieldB' does not exist in any of the events.
Test query (that does not work):
| lookup fieldA | search fieldB != ""
I believe the query above will match events that contain 'fieldA' but then searches the events where fieldB is blank within the event. Again, the events do not contain 'fieldB' and I'm not looking to append any other fields within the lookup table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=<YouShouldAlwaysSpecifyAnIndex> AND sourcetype=<AndSourcetypeToo> AND
[|inputlookup <YourLookupNameHere>
| fillnull fieldA fieldB value="T3mpPl4c3h0ld3r"
| format
| rex field=search mode=sed "s/(\S+)=\"T3mpPl4c3h0ld3r\"/NOT \1=\"*\"/"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will give it a shot and will report back with my results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did it go?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our team has not had a chance to try it yet, due to some other real-world issues. I'm pretty optimistic that this should work for them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| inputlookup Lookup_Table
| table fieldA fieldB
| where NOT fieldB == " "
This should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To clarify, here is the full search query example:
| lookup fieldA | search fieldB != ""
I'm looking to display only sourcetype events that contain an entry in fieldA and fieldB of the lookup table, and not the ones that contain an entry in fieldA where fieldB is blank. I'm not looking to display specific rows within the lookup table. Thanks for the suggestion though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| inputlookup Lookup_Table
| eventstats values( fieldA) as tmp
| eval found=if(isnull(mvfind(tmp, fieldB)),0,1) | where found=1
| table fieldA fieldB
| where NOT fieldB == " "
Try this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will give it a shot and will report back with my results.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
