- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to send a partial string value to a lookup tab...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to send a partial string value to a lookup table and count the occurrences?
I have a field that contains a sentence such as "I love wonderful food!" I want to be able to check each word against a lookup table to determine if the sentence was positive or negative. I need to be able to track the count of each good and bad word and give the sentence a score. So for the above sentence the score would be +2.
Lookup Table
Good | Bad
love | hate
wonderful|
Is this possible with a lookup table or would it potentially be easier to turn the entire event into raw text and search against a multi valued field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe try something like this:
sourcetype=word_parse | eval clean_sentence = replace(sentence, , ""> | eval parsed_sentence = split(clean_sentence, " ") | mvexpand parsed_sentence | lookup point_lookup word as parsed_sentence OUTPUT score | stats sum(score) as total
You might want to try a lookup table like this:
Lookup point_lookup:
word | score
Good | 1
Bad | -1
love | 1
hate | -1
wonderful| 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edit: I think it's something in the back end throwing an error for this particular search.
I like your idea but for some reason it's giving no output. I changed your search to:
... |eval clean_sentence = replace(sentence,' ',"") | eval parsed_sentence = split(clean_sentence, " ") | mvexpand parsed_sentence | lookup point_lookup word as parsed_sentence OUTPUT score | stats sum(score) as total
but it appears to generate no output/matches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you tell me what lookup you used and what the input sentence is?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recreated my lookup in the same manner as you did and named it point_lookup. The input sentence could be anything from "I love my iphone" to "I hate my iphone". The input is actually twitter data.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
