Solved: How can I easily search multiple values for one fi...

ssgtballard · ‎03-02-2018

I use the following search for proxy logs
index=proxy src="10.10.10.10" | table _time,src, action, dest, status | dedup src,action, dest, status

For one src this is fine but I have to do a table like this for 100 different sources. Is there a way I can do this without putting src="10.10.10.10" OR src="192.168.1.1" and so on and so on.

Thanks

somesoni2 · ‎03-02-2018

You can put all 100 difference sources in a lookup table and use a subsearch to retrieve the sources dynamically into your search.

Lookup table: proxy_sources.csv (first line header)

src
10.10.10.10
192.168.1.1
..other
values...

New searching using above lookup

index=proxy [| inputlookup proxy_lookup.csv | table src ] | table _time,src, action, dest, status | dedup src,action, dest, status

View solution in original post

somesoni2 · ‎03-02-2018

You can put all 100 difference sources in a lookup table and use a subsearch to retrieve the sources dynamically into your search.

Lookup table: proxy_sources.csv (first line header)

src
10.10.10.10
192.168.1.1
..other
values...

New searching using above lookup

index=proxy [| inputlookup proxy_lookup.csv | table src ] | table _time,src, action, dest, status | dedup src,action, dest, status

How can I easily search multiple values for one field?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How can I easily search multiple values for one field?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem