Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with Splunk search query and Lookup

Shashank_87
Explorer
‎08-02-2019 12:57 AM

Hi, I am struggling to form my search query along with lookup. So the scenarios is like this -
I have a search query which gets a web service response in which there is a tag "identifier" and this tags occurs multiple times in the same event with values like like P123456, D123465 etc.
On other side I have a lookup which contains some of these identifiers (only D*). Now I only want to retrieve those UNIQUE events which matches any of the identifier from the lookup.
I have written a query but not sure if that is correct (don't want to use join) and if someone can help me with a better search that would be highly appreciated.

index=test sourcetype=sales_log getProdDetails "soap response"
| rex field=_raw "=(?[^|]+)"
| rex field=_raw "identifier>(?[^<]+)" max_match=200
| eval productIdentifierNew = mvfilter(productIdentifier LIKE "D%")
| mvexpand productIdentifierNew
| join productIdentifierNew max=0
[| inputlookup productIdentifier.csv
| rename productIdentifier as productIdentifierNew]

Best Regards

0 Karma
Reply

woodcock
Esteemed Legend
‎08-05-2019 05:21 PM

Like this:

index=test sourcetype=sales_log getProdDetails "soap response" 
| rex field=_raw "identifier>(?<productIdentifierNew>D[^\<]+)" max_match=200 
| lookup productIdentifier productIdentifierNew OUTPUT productIdentifier AS KeepMe
| where isnotnull(KeepMe)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-02-2019 02:31 AM

Hi Shashank_87,
to not use join is a good idea!
in fact you don't need to use join command with a lookup because the lookup command is a join!
so you could try something like this:

index=test sourcetype=sales_log getProdDetails "soap response" 
| rex field=_raw "=(?[^\|]+)" 
| rex field=_raw "identifier>(?[^\<]+)" max_match=200 
| eval productIdentifierNew = mvfilter(productIdentifier LIKE "D%") 
| mvexpand productIdentifierNew 
| lookup productIdentifier.csv productIdentifier AS productIdentifierNew OUTPUT interesting fields
| table ....

Bye.
Giuseppe

0 Karma
Reply

Shashank_87
Explorer
‎08-02-2019 03:08 AM

@gcusello
Hi Giuseppe, Thanks for your swift response. I tried using lookup command but what should i be putting in the interesting fields? So my lookup only contains one field "productIdentifier" and fields I want is uniqueID which is present in the events so that I can dedup it afterwards to get the unique events.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...