Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Using Lookup with Multiple Search Terms for the Same Field

stauff
Explorer
‎07-28-2021 09:20 AM

Hello All.

I am trying to use a lookup to perform a tstats search against a data model, where I want multiple search terms for the same field.  However, I cannot get this to work as desired.  I have an example below to show what is happening, and what I'm trying to achieve.

I have a lookup file named search_terms.csv:

process_execprocessprocess
someexe.exe*param1**param2*

 

Given this lookup file, here is the expanded search I am trying to achieve:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest

 

Here is the first search I tried:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest

 

However, expanding this search leads to the second process column being ignored:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1*) by Processes.dest

 

Since this did not work, I tried editing the lookup file to look like this:

process_execprocess
someexe.exe*param1*|||*param2*

 

Then I used makemv to make the process field multivalue:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | makemv delim="|||" process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest

 

However, this search expanded lead to an "OR" being used for the 2 process query values, instead of an "AND":

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND (Processes.process=*param1* OR Processes.process=*param2*)) by Processes.dest

 

Does anyone know of a method to create a search using a lookup that would lead to my desired search of:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest

 

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2021 01:28 PM

Check out the format command.  It lets you change how the result of the subsearch is formatted, including replacing OR with AND.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

stauff
Explorer
‎07-28-2021 01:56 PM

This is exactly what I needed, thank you!  I was able to append the following to my subsearch to get the desired result:

| format mvsep="AND"

 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2021 01:28 PM

Check out the format command.  It lets you change how the result of the subsearch is formatted, including replacing OR with AND.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...