Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Lookup table to many search queries

Accak
Path Finder
‎02-28-2017 02:09 AM

I have lookup table like this:

locationOrFunction, asset_id
London,Application for one;Application for two;Application for three;Appfor HR 
Jakarta,Application for one
Lausanne, Application for two;LBPF*;Application for three;
Monako, Application for *

I want to get something like this:

locationOrFunction, asset_id
London, "Application for one" OR "Application for two" OR "Application for three" OR "Appfor HR" 
Jakarta, "Application for one"
Lausanne, "Application for two" OR "LBPF*" "Application for three"
Monako, "Application for *"

OR

 locationOrFunction, asset_id
    London, asset_id="Application for one" OR asset_id="Application for two" OR asset_id= "Application for three" OR asset_id="Appfor HR" 
    Jakarta, asset_id="Application for one"
    Lausanne, asset_id="Application for two" OR asset_id="LBPF*" asset_id="Application for three"
    Monako, "asset_id=Application for *"

I want to use it in multiselect input.
I tried with format, but it gets all rows (combine all locations), what I want to get is search queries for all independently.
Probably regex will be the answer, but I can't figure it out by myself. Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Accak
Path Finder
‎02-28-2017 02:36 AM

I managed to do it:

 | inputlookup Asset_id_sorted_by_category.csv | eval asset_id = split(asset_id, ";")| rex field=asset_id mode=sed "s/$/\"/" | rex field=asset_id mode=sed  "s/^/ OR asset_id=\"/" | nomv asset_id | rex field=asset_id mode=sed  "s/OR//" |table asset_id, locationOrFunction

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Accak
Path Finder
‎02-28-2017 02:36 AM

I managed to do it:

 | inputlookup Asset_id_sorted_by_category.csv | eval asset_id = split(asset_id, ";")| rex field=asset_id mode=sed "s/$/\"/" | rex field=asset_id mode=sed  "s/^/ OR asset_id=\"/" | nomv asset_id | rex field=asset_id mode=sed  "s/OR//" |table asset_id, locationOrFunction
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...