Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can i search in logs for mutiple vaules from a file

ma_anand1984
Contributor
‎10-07-2012 11:50 PM

I want to search logs for a list of keywords i have, say i have hundred strings. How can i achieve that in splunk?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MHibbin
Influencer
‎10-08-2012 01:08 AM

Porbably you best bet, is to have a lookup file containing you list of strings, which will make it easier to maintain (rather than multiple searches with lists) of strings)

You could then use the inputlookup command in a sub-search, to generate your list of words. Then apply this to your base level search command. This would use something like the following, as the search string (source can substituted with sourcetype, host, *, etc):

source=<someSource> [|inputlookup <someLookup> | fields <field> | rename <field> as search]

For example (not enitrely tested), on some SNMP logs, looking for certain severity keywords:

source=snmp [|inputlookup severity | fields sev | rename sev as search]

When the SNMP messages are contained in the "snmp" source, "severity" is the reference for the lookup in transforms.conf, and "sev" is the field containing my list of key severity terms.

Some references:

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources
http://docs.splunk.com/Documentation/Splunk/5.0/Search/Aboutsubsearches
http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Inputlookup
http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Fields

View solution in original post

Reply
Solved! Jump to solution
Solution

MHibbin
Influencer
‎10-08-2012 01:08 AM

Porbably you best bet, is to have a lookup file containing you list of strings, which will make it easier to maintain (rather than multiple searches with lists) of strings)

You could then use the inputlookup command in a sub-search, to generate your list of words. Then apply this to your base level search command. This would use something like the following, as the search string (source can substituted with sourcetype, host, *, etc):

source=<someSource> [|inputlookup <someLookup> | fields <field> | rename <field> as search]

For example (not enitrely tested), on some SNMP logs, looking for certain severity keywords:

source=snmp [|inputlookup severity | fields sev | rename sev as search]

When the SNMP messages are contained in the "snmp" source, "severity" is the reference for the lookup in transforms.conf, and "sev" is the field containing my list of key severity terms.

Some references:

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources
http://docs.splunk.com/Documentation/Splunk/5.0/Search/Aboutsubsearches
http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Inputlookup
http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Fields

Reply
Solved! Jump to solution

ma_anand1984
Contributor
‎10-12-2012 02:32 AM

trying hard for more than a week. seems my creativity is not good enough for this scenario :(. Any particular sub search commands that comes to your mind?

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎10-12-2012 02:14 AM

I'm not too sure, and currently have limited access to a Splunk install. But you should definately look at some of the other sub search commands, I think there will be a solution to help, you will probably need to run another sub-search to generate those results.

0 Karma
Reply
Solved! Jump to solution

ma_anand1984
Contributor
‎10-12-2012 12:13 AM

@MHibbin
Im also interested in getting count of the matched string or atleast just list of matched string. is it possible?

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎10-08-2012 04:47 AM

... glad it helped anyway

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎10-08-2012 04:47 AM

You can use the format command outside of the subsearch (i.e. contained in the []) to check the format of the new "search" field... for example:

|inputlookup severity | fields sev | rename sev as search | format

Bit odd that you still have to use that in the subsearch

0 Karma
Reply
Solved! Jump to solution

ma_anand1984
Contributor
‎10-08-2012 02:42 AM

@MHibbin
I have asked a follow-up question here, let me know if you have ideas 🙂

http://splunk-base.splunk.com/answers/61146/search-mutiple-strings-in-logs-and-give-count-of-respect...

0 Karma
Reply
Solved! Jump to solution

ma_anand1984
Contributor
‎10-08-2012 02:20 AM

Yeah.. For some reason i have to explicitly give | format at the end in the sub search. it worked with the below command.


source=snmp [|inputlookup severity | fields sev | rename sev as search | format]

Thanks again

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎10-08-2012 02:13 AM

did you see the edits to my searches above?

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎10-08-2012 01:54 AM

@ma_anand1984, please see updated search strings... I forgot to rename the field as "search" which passes it as a search string.

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎10-08-2012 01:36 AM

...

source=snmp field1=foo OR field1=bar OR field1=blah

You may just need to test some different strings out to see what works best for you.

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎10-08-2012 01:35 AM

That search above, should search in the raw event for any of the keywords that delivered from the lookup files sev field. For example, if the severity lookup contains the words: foo; bar; blah. Then search would equate to:

source=snmp foo OR bar OR blah

I believe you can append this subsearch to a specific field if you already have a field extracted in you logs, so you could then search for strings in a specific field (e.g. field1), like:

source=snmp field1=[|inputlookup severity | fields sev |rename sev as search]

Which I think would be equivalent to:

....

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...