Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Using Lookup with Multiple Search Terms for the Same Field

stauff
Explorer
‎07-28-2021 09:20 AM

Hello All.

I am trying to use a lookup to perform a tstats search against a data model, where I want multiple search terms for the same field.  However, I cannot get this to work as desired.  I have an example below to show what is happening, and what I'm trying to achieve.

I have a lookup file named search_terms.csv:

process_execprocessprocess
someexe.exe*param1**param2*

 

Given this lookup file, here is the expanded search I am trying to achieve:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest

 

Here is the first search I tried:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest

 

However, expanding this search leads to the second process column being ignored:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1*) by Processes.dest

 

Since this did not work, I tried editing the lookup file to look like this:

process_execprocess
someexe.exe*param1*|||*param2*

 

Then I used makemv to make the process field multivalue:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | makemv delim="|||" process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest

 

However, this search expanded lead to an "OR" being used for the 2 process query values, instead of an "AND":

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND (Processes.process=*param1* OR Processes.process=*param2*)) by Processes.dest

 

Does anyone know of a method to create a search using a lookup that would lead to my desired search of:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest

 

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2021 01:28 PM

Check out the format command.  It lets you change how the result of the subsearch is formatted, including replacing OR with AND.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

stauff
Explorer
‎07-28-2021 01:56 PM

This is exactly what I needed, thank you!  I was able to append the following to my subsearch to get the desired result:

| format mvsep="AND"

 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2021 01:28 PM

Check out the format command.  It lets you change how the result of the subsearch is formatted, including replacing OR with AND.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...