Splunk Search

Search Using Lookup with Multiple Search Terms for the Same Field

stauff
Explorer

Hello All.

I am trying to use a lookup to perform a tstats search against a data model, where I want multiple search terms for the same field.  However, I cannot get this to work as desired.  I have an example below to show what is happening, and what I'm trying to achieve.

I have a lookup file named search_terms.csv:

process_execprocessprocess
someexe.exe*param1**param2*

 

Given this lookup file, here is the expanded search I am trying to achieve:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest

 

Here is the first search I tried:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest

 

However, expanding this search leads to the second process column being ignored:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1*) by Processes.dest

 

Since this did not work, I tried editing the lookup file to look like this:

process_execprocess
someexe.exe*param1*|||*param2*

 

Then I used makemv to make the process field multivalue:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | makemv delim="|||" process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest

 

However, this search expanded lead to an "OR" being used for the 2 process query values, instead of an "AND":

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND (Processes.process=*param1* OR Processes.process=*param2*)) by Processes.dest

 

Does anyone know of a method to create a search using a lookup that would lead to my desired search of:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest

 

 

 

 

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Check out the format command.  It lets you change how the result of the subsearch is formatted, including replacing OR with AND.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

stauff
Explorer

This is exactly what I needed, thank you!  I was able to append the following to my subsearch to get the desired result:

| format mvsep="AND"

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check out the format command.  It lets you change how the result of the subsearch is formatted, including replacing OR with AND.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...