Splunk Search

Search Using Lookup with Multiple Search Terms for the Same Field

stauff
Explorer

Hello All.

I am trying to use a lookup to perform a tstats search against a data model, where I want multiple search terms for the same field.  However, I cannot get this to work as desired.  I have an example below to show what is happening, and what I'm trying to achieve.

I have a lookup file named search_terms.csv:

process_execprocessprocess
someexe.exe*param1**param2*

 

Given this lookup file, here is the expanded search I am trying to achieve:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest

 

Here is the first search I tried:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest

 

However, expanding this search leads to the second process column being ignored:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1*) by Processes.dest

 

Since this did not work, I tried editing the lookup file to look like this:

process_execprocess
someexe.exe*param1*|||*param2*

 

Then I used makemv to make the process field multivalue:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | makemv delim="|||" process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest

 

However, this search expanded lead to an "OR" being used for the 2 process query values, instead of an "AND":

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND (Processes.process=*param1* OR Processes.process=*param2*)) by Processes.dest

 

Does anyone know of a method to create a search using a lookup that would lead to my desired search of:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest

 

 

 

 

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Check out the format command.  It lets you change how the result of the subsearch is formatted, including replacing OR with AND.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

stauff
Explorer

This is exactly what I needed, thank you!  I was able to append the following to my subsearch to get the desired result:

| format mvsep="AND"

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check out the format command.  It lets you change how the result of the subsearch is formatted, including replacing OR with AND.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...