Solved: How can I easily search multiple values for one fi...

ssgtballard · ‎03-02-2018

I use the following search for proxy logs
index=proxy src="10.10.10.10" | table _time,src, action, dest, status | dedup src,action, dest, status

For one src this is fine but I have to do a table like this for 100 different sources. Is there a way I can do this without putting src="10.10.10.10" OR src="192.168.1.1" and so on and so on.

Thanks

somesoni2 · ‎03-02-2018

You can put all 100 difference sources in a lookup table and use a subsearch to retrieve the sources dynamically into your search.

Lookup table: proxy_sources.csv (first line header)

src
10.10.10.10
192.168.1.1
..other
values...

New searching using above lookup

index=proxy [| inputlookup proxy_lookup.csv | table src ] | table _time,src, action, dest, status | dedup src,action, dest, status

View solution in original post

somesoni2 · ‎03-02-2018

You can put all 100 difference sources in a lookup table and use a subsearch to retrieve the sources dynamically into your search.

Lookup table: proxy_sources.csv (first line header)

src
10.10.10.10
192.168.1.1
..other
values...

New searching using above lookup

index=proxy [| inputlookup proxy_lookup.csv | table src ] | table _time,src, action, dest, status | dedup src,action, dest, status

How can I easily search multiple values for one field?

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

Are you a member of the Splunk Community?

How can I easily search multiple values for one field?

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal