Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a more efficient search with wildcards with inputlookups in subseraches?

Janani_Krish
Path Finder
‎03-17-2022 01:22 AM

I have a lookup named tc with a field  indicator. I wanted to search that indicator field in my firewall sourcetype with wildcards as below.

[|inputlookup tc|dedup indicator|eval indicator1="*".indicator."*"|table indicator1|format] |where sourcetype="firewall"



But this search was not efficient and is time consuming. Also I was not able to use union or Join as I have to look for a field with wildcard.

Kindly suggest any alternatives.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 01:27 AM

Hi @Janani_Krish,

let me understand: do you want to perform a full text search using a field of your lookup on row events or you want to identify the matching values?

if the first, you could try something like this:

index=your_index sourcetype="firewall" [ | inputlookup tc | rename indicator AS query | fields query ] 
| table _time field1 field2 ...

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 01:27 AM

Hi @Janani_Krish,

let me understand: do you want to perform a full text search using a field of your lookup on row events or you want to identify the matching values?

if the first, you could try something like this:

index=your_index sourcetype="firewall" [ | inputlookup tc | rename indicator AS query | fields query ] 
| table _time field1 field2 ...

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎03-22-2022 01:57 AM

Hello @gcusello 

This searches the whole raw event. What if I wanted to search only the value of particular field in _raw ?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2022 02:56 AM

Hi @Janani_Krish,

please see something like this (if the field to match is called "matching_field"):

index=your_index sourcetype="firewall" [ | inputlookup tc | eval matching_field="*".indicator."*" | fields matching_field ] 
| table _time matching_field field1 field2 ...

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎03-17-2022 01:42 AM

Hello @gcusello 

Thanks for your reply. I wanted to find the matching values. But in this case,

My tc lookup will be having indicator="Michael" whereas my  firewall would have name= "Michael Jonas"

So I wanted to append wild card to my indicator field in lookup field and search as indicator=*Michael*. But since it is wildcard appended I was not able to do matching using join or union. Hence tried using text search method.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 01:44 AM

Hi @Janani_Krish,

if you use my method (renaming your field in "query" in the lookup subsearch), you are performing a full text search on _row using the values of the renamed field, so you don't need to add wildcards.

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎03-17-2022 04:44 AM

Thanks @gcusello . That works.

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...