Solved: How can I easily search multiple values for one fi...

ssgtballard · ‎03-02-2018

I use the following search for proxy logs
index=proxy src="10.10.10.10" | table _time,src, action, dest, status | dedup src,action, dest, status

For one src this is fine but I have to do a table like this for 100 different sources. Is there a way I can do this without putting src="10.10.10.10" OR src="192.168.1.1" and so on and so on.

Thanks

somesoni2 · ‎03-02-2018

You can put all 100 difference sources in a lookup table and use a subsearch to retrieve the sources dynamically into your search.

Lookup table: proxy_sources.csv (first line header)

src
10.10.10.10
192.168.1.1
..other
values...

New searching using above lookup

index=proxy [| inputlookup proxy_lookup.csv | table src ] | table _time,src, action, dest, status | dedup src,action, dest, status

View solution in original post

somesoni2 · ‎03-02-2018

You can put all 100 difference sources in a lookup table and use a subsearch to retrieve the sources dynamically into your search.

Lookup table: proxy_sources.csv (first line header)

src
10.10.10.10
192.168.1.1
..other
values...

New searching using above lookup

index=proxy [| inputlookup proxy_lookup.csv | table src ] | table _time,src, action, dest, status | dedup src,action, dest, status

How can I easily search multiple values for one field?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation