Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use values in lookup table not as fields but as search strings?

christopheryu
Communicator
‎03-21-2017 02:43 PM

Using lookup table to search events but having some issues:

|inputlookup router_lookup | rename Router_Name as DEVICE_NAME Router_Interface as INTERFACE | fields DEVICE_NAME, INTERFACE | format

results to:

( ( DEVICE_NAME="ROUTERA" AND INTERFACE="xe-5/2/0" ) OR ( DEVICE_NAME="ROUTERB" AND INTERFACE="xe-9/3/1" ) OR ( DEVICE_NAME="ROUTERC" AND INTERFACE="xe-6/7/0" ) ... etc

However, I found out that DEVICE_NAME is not a defined field for all routers, so I tried doing this:

|inputlookup router_lookup | rename Router_Name as DEVICE_NAME Router_Interface as INTERFACE | eval Interface_Name=DEVICE_NAME." AND ".INTERFACE | fields Interface_Name | rename Interface_Name as query | format

results to:

( ("ROUTERA AND xe-5/2/0" ) OR ( "ROUTERB AND xe-9/3/1" ) OR ( "ROUTERC AND xe-6/7/0" ) ... etc

this is NOT the result I was looking for since they have quotation marks.

this is what I need:

( (ROUTERA AND xe-5/2/0 ) OR (ROUTERB AND xe-9/3/1 ) OR (ROUTERC AND xe-6/7/0) ... etc

thank you in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-22-2017 04:31 PM

Like this:

|inputlookup router_lookup | rename Router_Name as DEVICE_NAME Router_Interface as INTERFACE | eval Interface_Name=DEVICE_NAME." AND ".INTERFACE | fields Interface_Name | rename Interface_Name as query | format | rex field=search mode=sed "s/\"//g"

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-22-2017 04:31 PM

Like this:

|inputlookup router_lookup | rename Router_Name as DEVICE_NAME Router_Interface as INTERFACE | eval Interface_Name=DEVICE_NAME." AND ".INTERFACE | fields Interface_Name | rename Interface_Name as query | format | rex field=search mode=sed "s/\"//g"
Reply
Solved! Jump to solution

christopheryu
Communicator
‎03-23-2017 07:03 AM

That worked, thank you!

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎03-21-2017 03:03 PM

Try this with your second search:

| return $query | format

But then simplify, you've got renames and such tht are really unnecessary.

|inputlookup router_lookup
| eval query=Router_Name." AND ".Router_Interface
| fields query
| return $query
| format

0 Karma
Reply
Solved! Jump to solution

christopheryu
Communicator
‎03-22-2017 07:34 AM

Thank you for the response. Here is what I got using your suggestion:

( ("ROUTERA AND xe-5/2/0" ))

Returned only one item and did not remove the quotation marks. Removing the "| return $query" yields the same result as my second search.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...