Splunk Search

How do you use the value of a field as a keyword search?

davidhake
New Member

I would like to use the value of a field as a keyword search. For example, if I have field like dest_ip="1.1.1.1", how do I take the value of the field (1.1.1.1) and use it as a general keyword search? Some of my data does not have the proper fields extracted or they are extracted with different names.

0 Karma

somesoni2
Revered Legend

I'm guessing you've a search which gives you the "values" that will be used to do "string-based" filter in another search. If that's try try something like this

your base search [search your search giving dest_ip field | stats count by dest_ip | table dest_ip | rename dest_ip as search ] | ... remaining portion of the search

The subsearch will give a nested OR condition with just the string value of the field dest_ip ('search' is a special field name and when used in subsearch, it returns just the value without field name), like this

(("1.2.3.4" ) OR ("11.22.33.44") OR ....)

davidhake
New Member

I'm actually wanting to do it with a lookup using a .csv file. I want to take each value from the csv file and do a keyword search against all my data. Below is my current search string. The problem is that it only matches against the "dest_IP" fields. I want to do a keyword search with the values from the csv file.

| lookup file.csv ip_addr as dest_ip OUTPUT 2ndvalue as status | search status=*

0 Karma

somesoni2
Revered Legend

Just replace the subsearch query with your inputlookup one. like this

index=foo sourceytpe=bar  [| inputlookup file.csv | tabel ip_addr | rename ip_addr as search ]  | rest of your search
0 Karma

davidhake
New Member

I appreciate the help but I am not following, can you be a little more specific please?

0 Karma

somesoni2
Revered Legend

Ok. First there was a type in the subsearch, the command should inputlookup lookup. What the subsearch does is it takes values of field ip_addr (which should the field name in the lookup table file.csv. and returns a big nested OR conditions with text value of the field ip_addr. so if your file.csv data is like htis

ip_addr,status...otherfields
1.1.1.1,status1,...
2.2.2.2,status2,...
3.3.3.3,status3,...

The resulting search (above) will become like this. Is this you meant by value as keyword search?

 index=foo sourceytpe=bar (("1.1.1.1") OR ("2.2.2.2") OR ("3.3.3.3")) | rest of your search
0 Karma

davidhake
New Member

Yes, I believe so except I had to use "query" instead of "search". I appreciate your help!

https://answers.splunk.com/answers/7472/subsearch-fields-query-search-how-do-i-know-which-to-use.htm...

0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...