Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to edit my search to filter results using extracted fields from a lookup and a where clause?

splunkrocks2014
Communicator
‎06-22-2016 11:03 AM

Hi.

How do I filter my results from an extracted field and where-clause?

I have a user lookup table which contains different formats such as /, , etc. I am able to extract a new field, but how can I apply it from the Splunk search?

My sample lookup csv file (users.csv):

user                       title
-------                    -------------
xyz.com/U1234              MD
X12345                     AVP
P12345                     ED

My lookup object configuration (transforms.conf):

[userid_lookup]
filename = users.csv
case_sensitive_match = false

And my Splunk search looks like the following. What is the correct syntax from my lookup?

index=xyz sourcetype=xyz:abc fields userid
| lookup userid_lookup | rex field=user "(?:.*\\\|)(?<userid>[\w]*)" OUTPUT title | where title="MD"

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-22-2016 11:13 AM

Give this a try

Updated

index=xyz sourcetype=xyz:abc | join type=left userId [| inputlookup  userid_lookup  | rex field=user "(?:.*\\\|)(?<userid>[\w]*)" | table userId title ]
 | where title="MD" OR isnull(title)

View solution in original post

Reply
Solved! Jump to solution

ltrand
Contributor
‎06-22-2016 11:25 AM

index=xyz sourcetype=xyz:abc | rex field=user "(?:.\|)(?[\w])" | lookup user AS user OUTPUT title | search title=MD

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-22-2016 11:13 AM

Give this a try

Updated

index=xyz sourcetype=xyz:abc | join type=left userId [| inputlookup  userid_lookup  | rex field=user "(?:.*\\\|)(?<userid>[\w]*)" | table userId title ]
 | where title="MD" OR isnull(title)
Reply
Solved! Jump to solution

splunkrocks2014
Communicator
‎06-22-2016 12:04 PM

It works with title=something, but it doesn't work if searched user with empty title. For instance,

 index=xyz sourcetype=xyz:abc | join userid [| inputlookup  userid_lookup  | rex field=user "(?:.*\\\|)(?<userid>[\w]*)" | table userid title ]
  | where isnull(title)

Any clues?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-22-2016 12:25 PM

What you want to do if the title is empty for a user?

0 Karma
Reply
Solved! Jump to solution

splunkrocks2014
Communicator
‎06-22-2016 01:39 PM

Basically, the title is never a null value. I am looking for if there are any users from the events are not matched to the lookup table. I can do following:

index=xyz sourcetype=xyz:abc | search NOT [| inputlookup  userid_lookup  | rex field=user "(?:.*\\\|)(?<userid>[\w]*)" | fields userid ]

but it doesn't work with the where-clause. I don't know why.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-22-2016 01:57 PM

Try the updated answer (you probably don't need both the condition I wrote in where clause, just use whichever is applicable)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...