- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Filter out a subset of items based on another valu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filter out a subset of items based on another value in a CSV lookup
Hello again,
So lets say I have a CSV file that looks like the following:
node_code region_code
SAN AMERICAS
JPN APAC
NYC AMERICAS
CHN APAC
FRA EMEA
NUR EMEA
And lets say my search is the following:
<query>errorcode=$errorcode_tok$ | dedup em_event_alert | eval dv_node=upper(dv_node) | rex field=dv_node "(?P<testnode>\w{3})" | stats count by testnode</query>
And just for reference:
Field Definitions
- dv_node = The string that holds the hostname of devices
- em_event_alert = A unique alert ID #
What I'm trying to do is create a dropdown with a list of Regions. So in this example, if the user selects AMERICAS from the dropdown, I want to filter the search results to only display those corresponding items... in our case, SAN & NYC would be the values displayed.
As you can see in the search, it queries for the selected errorcode (don't worry, I already have that functionality figured out), dedup's, and then it takes the hostname, and makes the whole thing uppercase. Finally, we strip out just the first 3 letters (that's how I am able to match it up to the node_code field in the CSV). But I can't seem to determine how to start to create that search query. Any ideas would definitely be appreciated. Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I believe the easiest way is the following:
% your query %
| lookup lookup_filename.csv node_code AS testnode
| search region_code=$token_drilldown$
| fields - region_code
Of course, you must change lookup_filename.csv and $token_drilldown$ with the names of your lookup and drilldown token.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure I follow in regards to the $token_drilldown$ variable. I've never used drilldown because as far as I know, its based on you clicking on something to go down further. I just want to utilize a dropdown menu with those values.
If you can go into more detail, maybe it would make sense; right now, I'm not seeing it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sorry for typo, I meant $token_dropdown$ (not $token_drilldown$) as token from your dropdown list.
With the lookup command you'll create a new field region_code corresponding to testnode. And with search command you'll filter out all region codes except selected in dropdown list.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
