Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to match the search string presence in lookuptable and show the presence as yes or not in result table

akshayinnamuri
Loves-to-Learn Lots
‎02-09-2022 12:25 AM

Hi Guys,

I have a string say example : abc

this string I want to lookup and match the presence in a lookup table  | lookuptable test.csv

test.csv has value

Number Value
1xyz
2abc
3mnp
4wgf

 

I want to check the presence of my search string abc in lookup table and shows me yes or no in result table

Like if found in lookuptable should result me as Yes else NO

example abc is present in lookuptable so my output should be

Search stringPresence
abcYes

 

my search string abc

| inputlookup test.csv| table value | rename value AS V1
| eval x="searchstring"
| eval y="v1"
| eval match=if(match(x,y),1,0)
| where match=1
| table Searchstring, Yes

 

I tried this but didnt get result

Kindly help me !

Thanks in advance

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-09-2022 06:04 AM

Firstly, you're mixing cases. With field names v1 is not the same as V1.

Secondly, you're setting y to a literal "v1" string. It has nothing to do with the v1 field (mind also the case remark above).

Thirdly, the match() function is a regex match.

And lastly - will you be trying to integrate it into some bigger search? If so, then you'll probably need some another approach.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2022 12:50 AM

Do you mean something like this?

| inputlookup test.csv
| table value 
| rename value AS V1
| eval x="searchstring"
| eval presence=if(match(V1,x),"Yes","No")
| where presense="Yes"
| table V1, presence
0 Karma
Reply

akshayinnamuri
Loves-to-Learn Lots
‎02-09-2022 01:10 AM

Thanks for the response but 

when I try same logic I didnt get any result

resulting table should tell me if present yes and if not present no

 

I tried above but only shows no result found

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2022 05:15 AM

Try without the where command

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...