Splunk Search

Find the keyword from the raw data and matches with splunk

prettysunshinez
Explorer

Hi,

I have lookup file with the columns(fields) Name SubName.
Now I wanted to run a query,which looks for the presence of Name in the raw data and if present,checks the lookup file if it is present in the lookup file and if present take the respective values of SubName,produce the search result with Name SubName and count.
If the value is not present,It should display the Name as New and SubName as Fix.

Kindly help!

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @prettysunshinez.
can I think that Name is an extracted field in your rawdata?
if it's true, you can run something like this:

index=your_index
| dedup name
| lookup my_lookup.csv Name OUTPUT SubName
| sort Name
| fillnul value="fix" SubName
| table Name SubName

Ciao.
Giuseppe

0 Karma

prettysunshinez
Explorer

Hi @gcusello
Thanks for the suggestion.

I think I was not clear in asking 🙂

The actual aim is to find the count of Name present in logs and match their SubName from lookup file.
If the Name is not present,It should be displayed as New.

Name is not an already extracted field and hence I'm writing a regex to extract it.
(It is word present right before the word Error and I have written a regex for it)

Now my search has to check for the presence of Name(specific pattern through regex) in the logs,when found it has too check Whether that name exists in the lookup file and display its SubName from the lookup..If the Name is not present then it has to be displayed as New.

My senior suggested me the below query and it doesn't seem to help.

index=your_index
 | rename _raw as rawText
 | eval pattern=[ 
     | inputlookup mylookup.csv
     | stats values(Name) AS query
     | eval query=mvjoin(query,",")
     | fields query
     | format "" "" "" "" "" ""
     ]
 | eval pattern=split(pattern,",")
 | mvexpand pattern
 | eval pattern="%".pattern."%"
 | eval check=if(like(rawText,pattern),pattern,"No")
 | rex field=pattern "\%(?<pattern>[^\%]*)\%"
 | lookup mylookup.csv Name AS pattern OUTPUT SubName
 | fillnull value="New" Name
 | stats count by Name

This doesnt seem to help.
Could you kindly share your thoughts/suggestions on this pls.

Thanks in advance!

0 Karma

prettysunshinez
Explorer

Hi,

Could you provide your suggestions pls.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @prettysunshinez.
as I said, if you reach to extract the Name field, my search is the solution to your question:

 index=your_index
 | rex "your regex"
 | dedup Name
 | lookup my_lookup.csv Name OUTPUT SubName
 | sort Name
 | fillnul value="New" SubName
 | table Name SubName

If you share an example of your logs, I can help you in regexing.

If instead you cannot reach to extract the name field and you have to search the names from lookup in your search as a text string, you have to use the search that your senior suggested that's correct (it's one of my old answers!).

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...