Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search multiple value on the same field

BunnyHop
Contributor
‎03-18-2010 08:37 PM

I have a regex that searches for different types of value on a field:

  • | regex _raw="FIELD=(value1|value2|value3)"

However this search is painfully slow. How can you perform this search on the indexed data without creating a very long search string like the below:

SEARCH FIELD="value1" OR FIELD="value2" OR FIELD="value3"

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 12:09 AM

You create the long search string. You can create the long search string indirectly via a subsearch though, which can load a file:

[ inputlookup mylist.csv | fields MYFIELDNAME | format ]

The file mylist.csv must be in the app lookups folder (probably etc/apps/search/lookups) and must be a CSV file with at least 1 column named MYFIELDNAME, one value per line. You can also generate the lookups from search results using outputlookup if that is the source of your values.

Update:

With just a little more work, you can also configure a lookup that maps MYFIELDNAME values to a "groupname", and if you then configure automatic lookups against MYFIELDNAME, then you can just add groupname="group" to the query and Splunk will automatically perform the equivalent of expanding the search string for every MYFIELDNAME value in the lookup table where groupname is mapped to group.

View solution in original post

Reply
Solved! Jump to solution

oreoshake
Communicator
‎03-19-2010 12:12 AM

Yeah it's painfully slow because the data is filtered AFTER the search has run. I'd just write a little script that expands it out for you on your local machine. Splunk 4.0.10 recently removed the cap or OR clauses which might be good for you.

ruby:

ARGV[0].sub('|', ' or host=')

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 12:09 AM

You create the long search string. You can create the long search string indirectly via a subsearch though, which can load a file:

[ inputlookup mylist.csv | fields MYFIELDNAME | format ]

The file mylist.csv must be in the app lookups folder (probably etc/apps/search/lookups) and must be a CSV file with at least 1 column named MYFIELDNAME, one value per line. You can also generate the lookups from search results using outputlookup if that is the source of your values.

Update:

With just a little more work, you can also configure a lookup that maps MYFIELDNAME values to a "groupname", and if you then configure automatic lookups against MYFIELDNAME, then you can just add groupname="group" to the query and Splunk will automatically perform the equivalent of expanding the search string for every MYFIELDNAME value in the lookup table where groupname is mapped to group.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 01:58 PM

Sorry but "local" I mean the Splunk search server, not your client workstation.

Reply
Solved! Jump to solution

arungeorge09
Path Finder
‎02-02-2015 05:24 AM

How do I construct a query with this.?

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 01:58 PM

The external source is a file on the local machine. It will be fast.

Reply
Solved! Jump to solution

BunnyHop
Contributor
‎03-19-2010 12:08 PM

This seems to look at values from an external source, correct? Is this more efficient?

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...