Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you use the value of a field as a keyword search?

davidhake
New Member
‎04-07-2016 09:08 AM

I would like to use the value of a field as a keyword search. For example, if I have field like dest_ip="1.1.1.1", how do I take the value of the field (1.1.1.1) and use it as a general keyword search? Some of my data does not have the proper fields extracted or they are extracted with different names.

0 Karma
Reply

somesoni2
Revered Legend
‎04-07-2016 09:29 AM

I'm guessing you've a search which gives you the "values" that will be used to do "string-based" filter in another search. If that's try try something like this 

your base search [search your search giving dest_ip field | stats count by dest_ip | table dest_ip | rename dest_ip as search ] | ... remaining portion of the search

The subsearch will give a nested OR condition with just the string value of the field dest_ip ('search' is a special field name and when used in subsearch, it returns just the value without field name), like this

(("1.2.3.4" ) OR ("11.22.33.44") OR ....)
Reply

davidhake
New Member
‎04-07-2016 10:13 AM

I'm actually wanting to do it with a lookup using a .csv file. I want to take each value from the csv file and do a keyword search against all my data. Below is my current search string. The problem is that it only matches against the "dest_IP" fields. I want to do a keyword search with the values from the csv file.

| lookup file.csv ip_addr as dest_ip OUTPUT 2ndvalue as status | search status=*

0 Karma
Reply

somesoni2
Revered Legend
‎04-07-2016 11:33 AM

Just replace the subsearch query with your inputlookup one. like this

index=foo sourceytpe=bar  [| inputlookup file.csv | tabel ip_addr | rename ip_addr as search ]  | rest of your search
0 Karma
Reply

davidhake
New Member
‎04-07-2016 11:43 AM

I appreciate the help but I am not following, can you be a little more specific please?

0 Karma
Reply

somesoni2
Revered Legend
‎04-07-2016 12:13 PM

Ok. First there was a type in the subsearch, the command should inputlookup lookup. What the subsearch does is it takes values of field ip_addr (which should the field name in the lookup table file.csv. and returns a big nested OR conditions with text value of the field ip_addr. so if your file.csv data is like htis

ip_addr,status...otherfields
1.1.1.1,status1,...
2.2.2.2,status2,...
3.3.3.3,status3,...

The resulting search (above) will become like this. Is this you meant by value as keyword search?

 index=foo sourceytpe=bar (("1.1.1.1") OR ("2.2.2.2") OR ("3.3.3.3")) | rest of your search
0 Karma
Reply

davidhake
New Member
‎04-07-2016 01:02 PM

Yes, I believe so except I had to use "query" instead of "search". I appreciate your help!

https://answers.splunk.com/answers/7472/subsearch-fields-query-search-how-do-i-know-which-to-use.htm...

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...