Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Identfying the Search Terms Matched

matts1234
Engager
‎11-04-2011 09:45 AM

I am trying to search through a data set with a large amount of search terms. This works perfectly using inputlookup tables. The tables allow me to store lots of different terms in a list rather than putting them all in the query. As an example:

index=infrastructure [inputlookup my_search_terms | fields content]

The only problem with this method is that I don't always know what term is matched against the results. Is there a way to display what the result was matched against?

For example, if the term "apache" was matched against in my results, is they a way to find out that the term matched was indeed "apache"?

I appreciate the help in advance.

Cheers,
Matt

Tags (3)
Reply

worshamn
Contributor
‎06-28-2016 09:07 PM

I know this is an old post but I too needed this exact same functionality. Being that none existed I created the matched command app--https://splunkbase.splunk.com/app/3209/. The app supplies just one command - matched - and can be used like so:

* [|inputlookup ransomware_variants|rename variant as search|format]|table _time _raw|matched csv="/opt/splunk/etc/system/lookups/ransomware_variants.csv"

Hopefully it helps someone else out with the same problem.

Reply

Ayn
Legend
‎11-04-2011 10:39 AM

No, there is no such functionality. What you could do is use highlight with all the search terms you're using. More info on the highlight command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Highlight

0 Karma
Reply

Ayn
Legend
‎02-19-2013 02:25 AM

Did you really post this answer in the correct place? It seems to be kind of unrelated to the question.

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...