Solved: Query with Thousands IDs in searche whit OR

Dmitriy · ‎08-04-2021

Hello, i need help.

I have 6500 IIN (like id) and put this id to lookup then tried search: index=alfa [|inputlookup IIN_oleg.csv |rename IIN as search | fields search]

They given result only for one firs IIN in lookup.

If i search whit out lookup just 10 IIN whit "OR" the give me 10 result

kamlesh_vaghela · ‎08-04-2021

Try this,

index=alfa [|inputlookup IIN_oleg.csv  |rename IIN as search | table search | format "(" "(" "AND" ")" "OR" ")"]

View solution in original post

kamlesh_vaghela · ‎08-04-2021

@Dmitriy

One more thing I observed in my instance. Incase if may OR conditions the search it self is getting break.. So can you please run your search and check the job inspect? Is that any error?

Dmitriy · ‎08-04-2021

start search index=alfa [|inputlookup IIN_oleg.csv |rename IIN as search | fields search]

search.log

08-05-2021 12:36:55.531 ERROR LookupProviderFactory - Must specify one or more lookup fields.

08-05-2021 12:36:54.743 INFO  SearchParser - PARSING: search index=alfa [|inputlookup IIN_oleg.csv  |rename IIN as search | fields search] |

08-05-2021 12:36:55.531 ERROR LookupProviderFactory - Must specify one or more lookup fields.
08-05-2021 12:36:55.531 ERROR AutoLookupDriver - Could not load lookup='LOOKUP-cisco_asa_ids_lookup' reason='Error in 'lookup' command: Must specify one or more lookup fields.'
08-05-2021 12:36:55.531 ERROR LookupProviderFactory - Must specify one or more lookup fields.
08-05-2021 12:36:55.531 ERROR AutoLookupDriver - Could not load lookup='LOOKUP-cisco_asa_intrusion_severity_lookup' reason='Error in 'lookup' command: Must specify one or more lookup fields.'

Dmitriy · ‎08-04-2021

i can not find in logs why the thake only firs value in lookup. I think the problem in query

kamlesh_vaghela · ‎08-04-2021

Try this,

index=alfa [|inputlookup IIN_oleg.csv  |rename IIN as search | table search | format "(" "(" "AND" ")" "OR" ")"]

Dmitriy · ‎08-05-2021

YEEHAA !!! Its work now, they give me correct result. Thank you very much.

kamlesh_vaghela · ‎08-05-2021

cool

Glad to help you 🙂

!! Happy Splunking !!

Dmitriy · ‎08-04-2021

No, not give any result 😔

kamlesh_vaghela · ‎08-04-2021

@Dmitriy

Can you please try this?

index=alfa 
| rex field=_raw "parameter\sname=\\\\\"(?<name>.*)\\\\\"\svalue=\\\\\"(?<value>\d+)\\\\\"\/&gt;"
| where name="IIN" 
| stats count by value

KV

Dmitriy · ‎08-04-2021

we dont have field like IIN in index data

index=alfa 
| rex field=_raw "parameter\sname=\\\\\"(?<name>.*)\\\\\"\svalue=\\\\\"(?<value>\d+)\\\\\"\/&gt;"
| where name="IIN" 
| stats count by value

Result 0

kamlesh_vaghela · ‎08-04-2021

@Dmitriy

What is the value in field name ?

Dmitriy · ‎08-04-2021

the IIN dont have field name in index

kamlesh_vaghela · ‎08-04-2021

OK

Then how you want to map with IIN_oleg.csv?

Dmitriy · ‎08-04-2021

lookup data

data in index

kamlesh_vaghela · ‎08-04-2021

Thanks @Dmitriy

Are you able to extract name and value fields from events?

index=alfa name="IIN" | stats count by value

Is this query working for you?

If Not can you please share sample _raw event, so I can help you on extraction also.

KV

Dmitriy · ‎08-04-2021

index=alfa name="IIN" | stats count by value

result 0

kamlesh_vaghela · ‎08-04-2021

@Dmitriy

Can you please share the field name and sample data from index alfa ?

KV

kamlesh_vaghela · ‎08-04-2021

@Dmitriy

If you have same field name then you can try like this.

index = alfa
| lookup  IIN_oleg.csv IIN output IIN as IIN_1
| where isnotnull(IIN_1)

KV

Query with Thousands IDs in searche whit OR

lookup

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!