Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to save search results as a variable to then search against a lookup table?

splunker1981
Path Finder
‎01-20-2016 10:58 AM

Hello all,

I am trying to figure out how to save the results from a search and then check if they exist in my lookup table. I've tried a bunch of things, but don't seem to get the correct results back. What I am doing is running a search using a regex to save to a fieldname called searchString. The field returns about 1200 items when I run |table searchString. I want to use the data stored in the fieldName searchString and then see if there's a match for that string in my lookup file. When I use eval and set a known string to test the search below, it works fine and I get a match. When I use the same search, but instead of using eval to set the searchString, I don't get anything back. Not sure what I am doing wrong, any help would be greatly appreciated.

This works for testing:

  | stats count | fields - count | eval searchString="testString123test" | lookup masterStringList.csv strings

This one does not work when using it as part of a search result although I testString123test was added and should match.

  searchHere | dedup searchString | stats count | fields - count | lookup masterStringList.csv string
0 Karma
Reply

somesoni2
Revered Legend
‎01-20-2016 11:53 AM

Try something like this

your base search | stats count by searchString | fields - count  | lookup masterStringList.csv lookupFileFieldname as searchString
0 Karma
Reply

splunker1981
Path Finder
‎01-20-2016 06:09 PM

This gets me a little closer, however the query seems to print every single record in the lookupFile and add if a match is found it populates an additional column with the headers from the lookupfile. Is there a way to just show matches and not everything in the lookupFile?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...