I am new to Splunk.
cluster command gives me results that I am looking for and some. I would like to filter the results of this command with a list of regular expression patterns that I have stored in a KV store, but I am having a tough time getting the answers that I am looking for. When I run the
map command below it looks like the $payload$ ends up with the value rather than the field name.
The app_critical_warning KV store has a list of regexp patterns with one of the column names being regexp_pattern.
Here's the search that I have come up with:
index="someindex" msgtype::warning |
cluster t=0.9 showcount=true field=payload |
table cluster_count payload |
map [|inputlookup app_critical_warning |
regex $payload$=regexp_pattern ] maxsearches=10
Does anybody have any suggestions on how to go about this task? I can compose the search with all the
regex patterns, but I would like to maintain it in a KV store for logistic reasons.