Splunk Search
Highlighted

How to search unstructured log for all values in your lookup file?

Engager

Hi,

I'd like to search our log for multiple possible errors from our lookup file:

alt text

to return only the records containing in any field one of the strings in the Error column and show the corresponding value from the Source column.

Is there a way ,such as | inputlookup errors.csv | foreach... | search ...?

Many thanks in advance,

Luc

0 Karma
Highlighted

Re: How to search unstructured log for all values in your lookup file?

Legend

Hi luc_k,
it's possible to search for the full string yu have in the Ettor field.
In other words: you can search for "Some Errors occurred" but not for Some Errors occurred
try something like this

your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ]
| ...

In this way you search in full text search in all events.

Bye.
Giuseppe

0 Karma
Highlighted

Re: How to search unstructured log for all values in your lookup file?

Engager

To return the Source column - something like yoursearch [ | inputlookup yourlookup.csv | rename Error AS quesry | fields query ] | lookup your_lookup.csv ...?

0 Karma
Highlighted

Re: How to search unstructured log for all values in your lookup file?

Legend

Hi luc_k,
it isn't so easy this last question because when you use query field in search you lose the pair field=value and you have to rebuid it,
you should try something like this:

 your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ]
 | rename _raw as rawText
 | eval foo=[
     | inputlookup your_lookup.csv 
     | eval query="%"+Error+"%" 
     | stats values(query) AS query 
     | eval query=mvjoin(query,",") 
     | fields query 
     | format "" "" "" "" "" ""
     ]
| eval foo=split(foo,",") 
| mvexpand foo 
| where like(rawText,foo)
| rex field=foo "\%(?<Error>[^\%]*)\%"
| ...

Bye.
Giuseppe

0 Karma
Highlighted

Re: How to search unstructured log for all values in your lookup file?

Legend

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

0 Karma
Highlighted

Re: How to search unstructured log for all values in your lookup file?

Engager

Thank you for your prompt reply. This returns the search results. How do I return the Source column?

0 Karma