Solved: Re: How to organize search substrings into LookUp ...

pm771 · ‎01-11-2023

Hello

I have a Splunk query that looks like following:

index=something "*abc*" OR "*def*" OR "*hig*"

These substrings do not belong to particular fields. Is there a way to put them in a lookup table?

If they were field values, I would've done something like:

index=something
   [| inputlookup My.csv |  fields FieldName | format]

richgalloway · ‎01-11-2023

If you put the strings in a lookup file using the field name foo then you should be able search for them using this query.

index=something
   [| inputlookup My.csv | return 1000 $foo]

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-11-2023

If you put the strings in a lookup file using the field name foo then you should be able search for them using this query.

index=something
   [| inputlookup My.csv | return 1000 $foo]

---
If this reply helps you, Karma would be appreciated.

yuanliu · ‎01-11-2023

Thank you, @richgalloway! I never learned about return command and the use of $field.

How to organize search substrings into LookUp tables?

lookup

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How to organize search substrings into LookUp tables?

lookup

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases