Splunk Search

How to keyword search values in a lookup table without using field names

marycordova
SplunkTrust
SplunkTrust

Assume you have a lookup table and you want to load the lookup table and then search the lookup table for a value or values but you don't know which field/column the value(s) might be in in the lookup table.

How can you search the lookup table for the value(s) without defining every possible field=value combination in the search?

For example the following fails:

| inputlookup uid_host_ip_mac.csv 
| search myuserid OR myhostname OR myip OR mymac
| table _time uid host ip mac
| sort - _time

But the below would work:

| inputlookup uid_host_ip_mac.csv 
| search uid=myuserid OR uid=myhostname OR uid=myip OR uid=mymac OR host=myuserid OR host=myhostname OR host=myip OR host=mymac OR ip=myuserid OR ip=myhostname OR ip=myip OR ip=mymac OR mac=myuserid OR mac=myhostname OR mac=myip OR mac=mymac
| table _time uid host ip mac
| sort - _time

Obviously in this case I know which field=value pairs go together so I wouldn't in reality use all these possible combinations in this example, but if I didn't know which field=value pairs went together, how could I keyword search the lookup table like in the first example?

0 Karma
1 Solution

marycordova
SplunkTrust
SplunkTrust

To search a lookup table with keyword values not tied to fields/columns (field=keyword) just add an artificial _raw event field:

| inputlookup uid_host_ip_mac_rolling.csv 
| eval _raw=tostring(mvjoin((mvappend('uid','host','ip,'mac'))," : "))
| search myuserid OR my-hostname OR myip OR mymac
| table _time uid host ip mac
| sort - _time

you can use any delimiter you want, it doesn't have to be a " : "
also the tostring might not be necessary...
| eval _raw=tostring(mvjoin((mvappend('uid','host','ip,'mac'))," : "))

View solution in original post

marycordova
SplunkTrust
SplunkTrust
0 Karma

marycordova
SplunkTrust
SplunkTrust

To search a lookup table with keyword values not tied to fields/columns (field=keyword) just add an artificial _raw event field:

| inputlookup uid_host_ip_mac_rolling.csv 
| eval _raw=tostring(mvjoin((mvappend('uid','host','ip,'mac'))," : "))
| search myuserid OR my-hostname OR myip OR mymac
| table _time uid host ip mac
| sort - _time

you can use any delimiter you want, it doesn't have to be a " : "
also the tostring might not be necessary...
| eval _raw=tostring(mvjoin((mvappend('uid','host','ip,'mac'))," : "))

View solution in original post


Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on