Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you use the value of a field as a keyword search?

davidhake
New Member
‎04-07-2016 09:08 AM

I would like to use the value of a field as a keyword search. For example, if I have field like dest_ip="1.1.1.1", how do I take the value of the field (1.1.1.1) and use it as a general keyword search? Some of my data does not have the proper fields extracted or they are extracted with different names.

0 Karma
Reply

somesoni2
Revered Legend
‎04-07-2016 09:29 AM

I'm guessing you've a search which gives you the "values" that will be used to do "string-based" filter in another search. If that's try try something like this 

your base search [search your search giving dest_ip field | stats count by dest_ip | table dest_ip | rename dest_ip as search ] | ... remaining portion of the search

The subsearch will give a nested OR condition with just the string value of the field dest_ip ('search' is a special field name and when used in subsearch, it returns just the value without field name), like this

(("1.2.3.4" ) OR ("11.22.33.44") OR ....)
Reply

davidhake
New Member
‎04-07-2016 10:13 AM

I'm actually wanting to do it with a lookup using a .csv file. I want to take each value from the csv file and do a keyword search against all my data. Below is my current search string. The problem is that it only matches against the "dest_IP" fields. I want to do a keyword search with the values from the csv file.

| lookup file.csv ip_addr as dest_ip OUTPUT 2ndvalue as status | search status=*

0 Karma
Reply

somesoni2
Revered Legend
‎04-07-2016 11:33 AM

Just replace the subsearch query with your inputlookup one. like this

index=foo sourceytpe=bar  [| inputlookup file.csv | tabel ip_addr | rename ip_addr as search ]  | rest of your search
0 Karma
Reply

davidhake
New Member
‎04-07-2016 11:43 AM

I appreciate the help but I am not following, can you be a little more specific please?

0 Karma
Reply

somesoni2
Revered Legend
‎04-07-2016 12:13 PM

Ok. First there was a type in the subsearch, the command should inputlookup lookup. What the subsearch does is it takes values of field ip_addr (which should the field name in the lookup table file.csv. and returns a big nested OR conditions with text value of the field ip_addr. so if your file.csv data is like htis

ip_addr,status...otherfields
1.1.1.1,status1,...
2.2.2.2,status2,...
3.3.3.3,status3,...

The resulting search (above) will become like this. Is this you meant by value as keyword search?

 index=foo sourceytpe=bar (("1.1.1.1") OR ("2.2.2.2") OR ("3.3.3.3")) | rest of your search
0 Karma
Reply

davidhake
New Member
‎04-07-2016 01:02 PM

Yes, I believe so except I had to use "query" instead of "search". I appreciate your help!

https://answers.splunk.com/answers/7472/subsearch-fields-query-search-how-do-i-know-which-to-use.htm...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...