Solved: How can I easily search multiple values for one fi...

ssgtballard · ‎03-02-2018

I use the following search for proxy logs
index=proxy src="10.10.10.10" | table _time,src, action, dest, status | dedup src,action, dest, status

For one src this is fine but I have to do a table like this for 100 different sources. Is there a way I can do this without putting src="10.10.10.10" OR src="192.168.1.1" and so on and so on.

Thanks

somesoni2 · ‎03-02-2018

You can put all 100 difference sources in a lookup table and use a subsearch to retrieve the sources dynamically into your search.

Lookup table: proxy_sources.csv (first line header)

src
10.10.10.10
192.168.1.1
..other
values...

New searching using above lookup

index=proxy [| inputlookup proxy_lookup.csv | table src ] | table _time,src, action, dest, status | dedup src,action, dest, status

View solution in original post

somesoni2 · ‎03-02-2018

You can put all 100 difference sources in a lookup table and use a subsearch to retrieve the sources dynamically into your search.

Lookup table: proxy_sources.csv (first line header)

src
10.10.10.10
192.168.1.1
..other
values...

New searching using above lookup

index=proxy [| inputlookup proxy_lookup.csv | table src ] | table _time,src, action, dest, status | dedup src,action, dest, status

How can I easily search multiple values for one field?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

How can I easily search multiple values for one field?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...