Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SOLVED - Splunk Search Command, Regex, and OR Operator

fzuazo
Path Finder
‎06-27-2024 07:58 AM

Greetings all,

I'm trying to search inside a lookup table and I need to use a search command follow by an OR and regex

I need the regex to match anything in the lookup table and not just the two fields before it.

Below is some sample SPL, I know it won't work this way but I'm including it to give an idea of what I'm trying to accomplish.

 

 

| inputlookup data_source.csv
| fillnull value=MISSING
| search (count=MISSING AND percent=MISSING) OR regex "[^0-9a-zA-Z\-\._,]"

 

 

Thanks in advance for the help, I really appreciate it.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2024 08:52 AM

Try something like this

| inputlookup data_source.csv
| fillnull value="MISSING"
| where (count="MISSING" AND percent="MISSING") OR match(count, "[^0-9a-zA-Z\-\._,]") OR match(percent, "[^0-9a-zA-Z\-\._,]")

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-27-2024 08:54 AM

First, you want to familiarize yourself with where command and how it differs from search command.  As @ITWhisperer said, search operates on _raw field.  Because inputlookup does not produce raw events, you need to specify which field or fields from data_source.csv to apply that regex.  Suppose all you want to do is to match a field named somefield, your search can be simply:

| inputlookup data_source.csv
| where (isnull(count) AND isnull(percent)) OR match(somefield, "[^0-9a-zA-Z\-\._,]")

Here, there is no need to fillnull because isnull function test the condition without a spurious assignment.

Now, if you want to apply that regex to every field from this lookup, the following should work but that's really not what Splunk is designed to do.

| inputlookup data_source.csv
| foreach *
    [eval allfields = if(isnull(allfields), "", allfields) . <<FIELD>>]
| where (isnull(count) AND isnull(percent)) OR match(allfields, "[^0-9a-zA-Z\-\._,]")

 

Tags (1)
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2024 08:14 AM

The search command and regex command by default work on the _raw field. This is normally present in the events in your index. Since your events are coming from a lookup, it is unlikely that you have a _raw field, which means you need to specify a field for the regex command to filter on.

Can you rewrite your filter requirement such that it can be applied to fields returned by your inputlookup?

0 Karma
Reply
Solved! Jump to solution

fzuazo
Path Finder
‎06-27-2024 08:25 AM

Thanks for the input.

I can definitely do that but I need to make sure that the regex searches are chained with ORs to the previous searches.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2024 08:52 AM

Try something like this

| inputlookup data_source.csv
| fillnull value="MISSING"
| where (count="MISSING" AND percent="MISSING") OR match(count, "[^0-9a-zA-Z\-\._,]") OR match(percent, "[^0-9a-zA-Z\-\._,]")
Reply
Solved! Jump to solution

fzuazo
Path Finder
‎06-27-2024 10:48 AM

Thank you !

 

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...