How do I loop through a list of regular expression...

Splunk Search

I am new to Splunk.

The cluster command gives me results that I am looking for and some. I would like to filter the results of this command with a list of regular expression patterns that I have stored in a KV store, but I am having a tough time getting the answers that I am looking for. When I run the map command below it looks like the $payload$ ends up with the value rather than the field name.

The app_critical_warning KV store has a list of regexp patterns with one of the column names being regexp_pattern.

Here's the search that I have come up with:

index="someindex" msgtype::warning |
cluster t=0.9 showcount=true field=payload |
table cluster_count payload |
map [|inputlookup app_critical_warning |
regex $payload$=regexp_pattern ] maxsearches=10

Does anybody have any suggestions on how to go about this task? I can compose the search with all the regex patterns, but I would like to maintain it in a KV store for logistic reasons.

Thank you!

Get Updates on the Splunk Community!

How do I loop through a list of regular expression patterns stored in a KV store in a search?

fields

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation