Solved: How to organize search substrings into LookUp tabl...

pm771 · ‎01-11-2023

Hello

I have a Splunk query that looks like following:

index=something "*abc*" OR "*def*" OR "*hig*"

These substrings do not belong to particular fields. Is there a way to put them in a lookup table?

If they were field values, I would've done something like:

index=something
   [| inputlookup My.csv |  fields FieldName | format]

richgalloway · ‎01-11-2023

If you put the strings in a lookup file using the field name foo then you should be able search for them using this query.

index=something
   [| inputlookup My.csv | return 1000 $foo]

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-11-2023

If you put the strings in a lookup file using the field name foo then you should be able search for them using this query.

index=something
   [| inputlookup My.csv | return 1000 $foo]

---
If this reply helps you, Karma would be appreciated.

yuanliu · ‎01-11-2023

Thank you, @richgalloway! I never learned about return command and the use of $field.

How to organize search substrings into LookUp tables?

lookup

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to organize search substrings into LookUp tables?

lookup

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...