Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Filtering on lookup field values using multiple values on a few field

landen99
Motivator
‎10-14-2016 03:20 PM

Searching for events which match any of multiple values for the same field times several fields in a lookup using the subsearch filter or the mv_append eval function.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

landen99
Motivator
‎10-14-2016 03:23 PM

The most efficient approach is a subsearch filter using the case-insensitive search command before the first pipe (preferred) if the list of values is under 50k:

index=myindex OR index=myindex2 [| inputlookup mycsv | search (cpu=1 hostname=stuff) OR (cpu=2 hostname=stuff2) | table hostname | rename hostname AS host ]

Creating a multi-value field to match on the lookup table, the mvappend command does the job:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

... | eval field_mvappend=mvappend(field_mv, "middle value", field_sv) | lookup mycsv field_mvappend OUTPUT mynewfield | search mynewfield=*

Or if the issue is only with case, you can either format the case in the lookup and in the source data using lower(). I prefer all field values to be lowercase.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

landen99
Motivator
‎10-14-2016 03:23 PM

The most efficient approach is a subsearch filter using the case-insensitive search command before the first pipe (preferred) if the list of values is under 50k:

index=myindex OR index=myindex2 [| inputlookup mycsv | search (cpu=1 hostname=stuff) OR (cpu=2 hostname=stuff2) | table hostname | rename hostname AS host ]

Creating a multi-value field to match on the lookup table, the mvappend command does the job:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

... | eval field_mvappend=mvappend(field_mv, "middle value", field_sv) | lookup mycsv field_mvappend OUTPUT mynewfield | search mynewfield=*

Or if the issue is only with case, you can either format the case in the lookup and in the source data using lower(). I prefer all field values to be lowercase.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...