Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a more efficient search with wildcards with inputlookups in subseraches?

Janani_Krish
Path Finder
‎03-17-2022 01:22 AM

I have a lookup named tc with a field  indicator. I wanted to search that indicator field in my firewall sourcetype with wildcards as below.

[|inputlookup tc|dedup indicator|eval indicator1="*".indicator."*"|table indicator1|format] |where sourcetype="firewall"



But this search was not efficient and is time consuming. Also I was not able to use union or Join as I have to look for a field with wildcard.

Kindly suggest any alternatives.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 01:27 AM

Hi @Janani_Krish,

let me understand: do you want to perform a full text search using a field of your lookup on row events or you want to identify the matching values?

if the first, you could try something like this:

index=your_index sourcetype="firewall" [ | inputlookup tc | rename indicator AS query | fields query ] 
| table _time field1 field2 ...

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 01:27 AM

Hi @Janani_Krish,

let me understand: do you want to perform a full text search using a field of your lookup on row events or you want to identify the matching values?

if the first, you could try something like this:

index=your_index sourcetype="firewall" [ | inputlookup tc | rename indicator AS query | fields query ] 
| table _time field1 field2 ...

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎03-22-2022 01:57 AM

Hello @gcusello 

This searches the whole raw event. What if I wanted to search only the value of particular field in _raw ?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2022 02:56 AM

Hi @Janani_Krish,

please see something like this (if the field to match is called "matching_field"):

index=your_index sourcetype="firewall" [ | inputlookup tc | eval matching_field="*".indicator."*" | fields matching_field ] 
| table _time matching_field field1 field2 ...

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎03-17-2022 01:42 AM

Hello @gcusello 

Thanks for your reply. I wanted to find the matching values. But in this case,

My tc lookup will be having indicator="Michael" whereas my  firewall would have name= "Michael Jonas"

So I wanted to append wild card to my indicator field in lookup field and search as indicator=*Michael*. But since it is wildcard appended I was not able to do matching using join or union. Hence tried using text search method.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 01:44 AM

Hi @Janani_Krish,

if you use my method (renaming your field in "query" in the lookup subsearch), you are performing a full text search on _row using the values of the renamed field, so you don't need to add wildcards.

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎03-17-2022 04:44 AM

Thanks @gcusello . That works.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...