Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do an open text search using a lookup table?

DEAD_BEEF
Builder
‎07-27-2018 10:32 AM

I have an inventory csv file and want to do an open text search for all the hostnames in my lookup table. The reason I say "open text search" is because the hostname field is named differently across various indexes so I can't point my LUT column to a specific log field.

I am basically trying to avoid the below query as I don't want to type out (copy+paste) all the hostnames

index=web OR index=main OR index=os (host1 OR host2 OR ... host n)

My current query is:

index=*
    [| inputlookup hosts.csv 
    | fields name
    ]
| stats count by index sourcetype
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-27-2018 10:45 AM

To return strings instead of KV pairs from a subsearch, use the format command (after renaming the field to literally search)

 index=*
 [| inputlookup hosts.csv 
 | fields name
 | rename name as search
 | format
 ]
 | stats count by index sourcetype

For event faster performance, (but if and only if your hostnames contain no segments (dashes etc)) use |tstats instead

 |tstats count WHERE index=*
     [| inputlookup hosts.csv 
     | fields name
     | rename name as search
     | format
     ]
 by index sourcetype

View solution in original post

Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-27-2018 10:45 AM

To return strings instead of KV pairs from a subsearch, use the format command (after renaming the field to literally search)

 index=*
 [| inputlookup hosts.csv 
 | fields name
 | rename name as search
 | format
 ]
 | stats count by index sourcetype

For event faster performance, (but if and only if your hostnames contain no segments (dashes etc)) use |tstats instead

 |tstats count WHERE index=*
     [| inputlookup hosts.csv 
     | fields name
     | rename name as search
     | format
     ]
 by index sourcetype
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎07-27-2018 10:57 AM

The first query works perfectly! The tstats doesn't seem to work as I get the error, Error in 'TsidxStats': WHERE clause is not an exact query. The hostnames have "." in some of them, not sure if that is the problem.

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎07-27-2018 11:13 AM

Yep any special characters will cause the stats search to fail. For a deeper explanation into why that is so, have a read through this: https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf.

If the answer worked for you would you mind accepting it?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...