Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SOLVED - Splunk Search Command, Regex, and OR Operator

fzuazo
Path Finder
‎06-27-2024 07:58 AM

Greetings all,

I'm trying to search inside a lookup table and I need to use a search command follow by an OR and regex

I need the regex to match anything in the lookup table and not just the two fields before it.

Below is some sample SPL, I know it won't work this way but I'm including it to give an idea of what I'm trying to accomplish.

 

 

| inputlookup data_source.csv
| fillnull value=MISSING
| search (count=MISSING AND percent=MISSING) OR regex "[^0-9a-zA-Z\-\._,]"

 

 

Thanks in advance for the help, I really appreciate it.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2024 08:52 AM

Try something like this

| inputlookup data_source.csv
| fillnull value="MISSING"
| where (count="MISSING" AND percent="MISSING") OR match(count, "[^0-9a-zA-Z\-\._,]") OR match(percent, "[^0-9a-zA-Z\-\._,]")

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-27-2024 08:54 AM

First, you want to familiarize yourself with where command and how it differs from search command.  As @ITWhisperer said, search operates on _raw field.  Because inputlookup does not produce raw events, you need to specify which field or fields from data_source.csv to apply that regex.  Suppose all you want to do is to match a field named somefield, your search can be simply:

| inputlookup data_source.csv
| where (isnull(count) AND isnull(percent)) OR match(somefield, "[^0-9a-zA-Z\-\._,]")

Here, there is no need to fillnull because isnull function test the condition without a spurious assignment.

Now, if you want to apply that regex to every field from this lookup, the following should work but that's really not what Splunk is designed to do.

| inputlookup data_source.csv
| foreach *
    [eval allfields = if(isnull(allfields), "", allfields) . <<FIELD>>]
| where (isnull(count) AND isnull(percent)) OR match(allfields, "[^0-9a-zA-Z\-\._,]")

 

Tags (1)
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2024 08:14 AM

The search command and regex command by default work on the _raw field. This is normally present in the events in your index. Since your events are coming from a lookup, it is unlikely that you have a _raw field, which means you need to specify a field for the regex command to filter on.

Can you rewrite your filter requirement such that it can be applied to fields returned by your inputlookup?

0 Karma
Reply
Solved! Jump to solution

fzuazo
Path Finder
‎06-27-2024 08:25 AM

Thanks for the input.

I can definitely do that but I need to make sure that the regex searches are chained with ORs to the previous searches.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2024 08:52 AM

Try something like this

| inputlookup data_source.csv
| fillnull value="MISSING"
| where (count="MISSING" AND percent="MISSING") OR match(count, "[^0-9a-zA-Z\-\._,]") OR match(percent, "[^0-9a-zA-Z\-\._,]")
Reply
Solved! Jump to solution

fzuazo
Path Finder
‎06-27-2024 10:48 AM

Thank you !

 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...