Solved: Re: Inputlookup and match only whole word in field...

John__Doe · ‎09-08-2017

I want to use a keyword list (inputlookup) to find a keyword (whole word only !) in the event text.

Sample Event text (field name is 'data'):

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam pretium urna vel auctor tempus. Integer velit libero, faucibus id ex.

I've imported a csv file containing keywords.

Keyword
adipiscing
faucibus

The inputlookup works fine:

| imputlookup keywords.csv

Searching for just a keyword works fine:

index=lorum adipiscing

Using inputlookup with the csv file doesn't work (no matches):

index=lorum [| imputlookup keywords.csv]

Any help writing my query is highly appreciated.

gcusello · ‎09-08-2017

Hi John__Doe,
you have to modify your subsearch:

your_search [ | inputlookup your_lookup.csv | rename keyword as query | fields query ]

In this way you can use lookup's keywords for a full text search.
Bye.
Giuseppe

View solution in original post

gcusello · ‎09-08-2017

Hi John__Doe,
you have to modify your subsearch:

your_search [ | inputlookup your_lookup.csv | rename keyword as query | fields query ]

In this way you can use lookup's keywords for a full text search.
Bye.
Giuseppe

John__Doe · ‎09-08-2017

Hi Cusello,

I've tried this:

index=lorum data=*  [ | inputlookup keywords.csv | rename keyword as query | fields query ]

But still no luck

John__Doe · ‎09-08-2017

The name of the field in 'keywords.csv' is keyword (lower k).

keyword
adipiscing
faucibus

gcusello · ‎09-08-2017

Using this method you can use lookup keywords to run a full text search on all the raw event, data field is in the raw data or not?
if data isn't in _raw field and instead it's only in a differente field and you want to search keywords in this field you must use a different approach
index=lorum data=* [ | inputlookup keywords.csv | eval data=""+keyword+"" | fields data ]
Bye.
Giuseppe

John__Doe · ‎09-08-2017

First example works (needed to change the time span). Apologize for the inconvenience caused

I've an error with the second example:

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side: ((data= "adipiscing") OR (data= "faucibus"))

gcusello · ‎09-08-2017

Sorry: there's an error, I forgot the first asterisk!

index=lorum data= [ | inputlookup keywords.csv | eval data="*"+keyword+"*" | fields data ]

The second solution should be more performant.

Bye.
Giuseppe

John__Doe · ‎09-08-2017

still an error 🙂
Needs to be:

index=lorum data=* [ | inputlookup keywords.csv | eval data="*"+keyword+"*" | fields data ]

This doesn't find only the whole word because of using the asterisk wildcard ( * ). But still a useful example for me.

gcusello · ‎09-08-2017

The best way is to use the first solution.
Bye.
Giuseppe
P.S.: if you're satisfied, please accept answer.

John__Doe · ‎09-08-2017

many thanks and accepted

gcusello · ‎09-08-2017

what's the name of the field in lookup? you must use it in rename command.
Bye.
Giuseppe

Inputlookup and match only whole word in field text

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...