Splunk Search

Filter out a subset of items based on another value in a CSV lookup

kiddsupreme
Explorer

Hello again,

So lets say I have a CSV file that looks like the following:

node_code   region_code
SAN          AMERICAS
JPN          APAC
NYC          AMERICAS
CHN          APAC
FRA          EMEA
NUR          EMEA

And lets say my search is the following:

<query>errorcode=$errorcode_tok$ | dedup em_event_alert | eval dv_node=upper(dv_node) | rex field=dv_node "(?P&lt;testnode&gt;\w{3})" | stats count by testnode</query>

And just for reference:

Field Definitions
- dv_node = The string that holds the hostname of devices
- em_event_alert = A unique alert ID #

What I'm trying to do is create a dropdown with a list of Regions. So in this example, if the user selects AMERICAS from the dropdown, I want to filter the search results to only display those corresponding items... in our case, SAN & NYC would be the values displayed.

As you can see in the search, it queries for the selected errorcode (don't worry, I already have that functionality figured out), dedup's, and then it takes the hostname, and makes the whole thing uppercase. Finally, we strip out just the first 3 letters (that's how I am able to match it up to the node_code field in the CSV). But I can't seem to determine how to start to create that search query. Any ideas would definitely be appreciated. Thanks in advance.

0 Karma

nryabykh
Path Finder

Hi!

I believe the easiest way is the following:

% your query %
| lookup lookup_filename.csv node_code AS testnode 
| search region_code=$token_drilldown$
| fields - region_code

Of course, you must change lookup_filename.csv and $token_drilldown$ with the names of your lookup and drilldown token.

0 Karma

kiddsupreme
Explorer

Not sure I follow in regards to the $token_drilldown$ variable. I've never used drilldown because as far as I know, its based on you clicking on something to go down further. I just want to utilize a dropdown menu with those values.

If you can go into more detail, maybe it would make sense; right now, I'm not seeing it.

0 Karma

nryabykh
Path Finder

I'm sorry for typo, I meant $token_dropdown$ (not $token_drilldown$) as token from your dropdown list.

With the lookup command you'll create a new field region_code corresponding to testnode. And with search command you'll filter out all region codes except selected in dropdown list.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...