Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you use the value of a field as a keyword search?

davidhake
New Member
‎04-07-2016 09:08 AM

I would like to use the value of a field as a keyword search. For example, if I have field like dest_ip="1.1.1.1", how do I take the value of the field (1.1.1.1) and use it as a general keyword search? Some of my data does not have the proper fields extracted or they are extracted with different names.

0 Karma
Reply

somesoni2
Revered Legend
‎04-07-2016 09:29 AM

I'm guessing you've a search which gives you the "values" that will be used to do "string-based" filter in another search. If that's try try something like this 

your base search [search your search giving dest_ip field | stats count by dest_ip | table dest_ip | rename dest_ip as search ] | ... remaining portion of the search

The subsearch will give a nested OR condition with just the string value of the field dest_ip ('search' is a special field name and when used in subsearch, it returns just the value without field name), like this

(("1.2.3.4" ) OR ("11.22.33.44") OR ....)
Reply

davidhake
New Member
‎04-07-2016 10:13 AM

I'm actually wanting to do it with a lookup using a .csv file. I want to take each value from the csv file and do a keyword search against all my data. Below is my current search string. The problem is that it only matches against the "dest_IP" fields. I want to do a keyword search with the values from the csv file.

| lookup file.csv ip_addr as dest_ip OUTPUT 2ndvalue as status | search status=*

0 Karma
Reply

somesoni2
Revered Legend
‎04-07-2016 11:33 AM

Just replace the subsearch query with your inputlookup one. like this

index=foo sourceytpe=bar  [| inputlookup file.csv | tabel ip_addr | rename ip_addr as search ]  | rest of your search
0 Karma
Reply

davidhake
New Member
‎04-07-2016 11:43 AM

I appreciate the help but I am not following, can you be a little more specific please?

0 Karma
Reply

somesoni2
Revered Legend
‎04-07-2016 12:13 PM

Ok. First there was a type in the subsearch, the command should inputlookup lookup. What the subsearch does is it takes values of field ip_addr (which should the field name in the lookup table file.csv. and returns a big nested OR conditions with text value of the field ip_addr. so if your file.csv data is like htis

ip_addr,status...otherfields
1.1.1.1,status1,...
2.2.2.2,status2,...
3.3.3.3,status3,...

The resulting search (above) will become like this. Is this you meant by value as keyword search?

 index=foo sourceytpe=bar (("1.1.1.1") OR ("2.2.2.2") OR ("3.3.3.3")) | rest of your search
0 Karma
Reply

davidhake
New Member
‎04-07-2016 01:02 PM

Yes, I believe so except I had to use "query" instead of "search". I appreciate your help!

https://answers.splunk.com/answers/7472/subsearch-fields-query-search-how-do-i-know-which-to-use.htm...

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...