Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search using automatic lookup field

satoto4
New Member
‎02-07-2013 08:55 PM

Hello,
I am trying to search source=test.csv (including fieldA) with the attached lookup file.
I define the automatic lookup like 'URL as fieldA OUTPUTNEW DomainGroup AS Domain4fieldA'.
Then I search like 'source=test.csv (Domain4fieldA="G1" OR Domain4fieldA="G2") | eval Service=Domain4fieldA | fields fieldA,Service'

I expect the search result.
Service="G1,G2" in case of fieldA="www.google.co.jp" and
Service="G2" in case of fieldA="www.splunk.com"

But I get ..
Service="G1,G2,G3" in case of fieldA="www.google.co.jp" and
Service="G2,G4" in case of fieldA="www.splunk.com"

How can I search to get the correct result ?
Please notify.

"DomainGroup","URL"
"G1","www.google.co.jp"
"G1","www.google.com"
"G1","www.yahoo.co.jp"
"G2","www.google.co.jp"
"G2","www.amazon.co.jp"
"G2","www.rakuten.co.jp"
"G2","www.splunk.com"
"G3","www.microsoft.com"
"G3","www.google.co.jp"
"G4","www.splunk.com"
"G4","www.apple.com"

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎02-07-2013 11:40 PM

I understand your thinking, but here is what really happens

First, Splunk identifies all the events in the index that match your criteria. These events have various fieldA values. Let's pretend that the first two events look like this:

 fieldA=www.google.co.jp fieldB=other_data a message here
 fieldA=www.splunk.com fieldB=something_else  a different message here

Second, Splunk performs the lookup (it can't complete the search until it gets the values for Domain4fieldA). When Splunk does the lookup, it finds ALL of the matching values and adds them to the events as a multi-valued field. This effectively does this:

 fieldA=www.google.co.jp fieldB=other_data a message here Domain4fieldA=G1,G2,G3
 fieldA=www.splunk.com fieldB=something_else  a different message here Domain4fieldA=G2,G4

Third, Splunk determines which events now match your criteria - they have a value of either G1 or G2 in the Domain4fieldA. Both events qualify. Note that this does NOT eliminate the non-matching values of Domain4fieldA. It only eliminates events that don't have a matching value for Domain4fieldA.

Finally, the eval and table commands are processed as usual.

If you don't want to see the other values in the multi-valued field, you will need to remove them. Try this command:

source=test.csv (Domain4fieldA="G1" OR Domain4fieldA="G2") 
| eval Service==mvfilter(match(Domain4fieldA, "G1") OR match(Domain4fieldA, "G2")) 
| fields fieldA,Service
Reply

satoto4
New Member
‎02-08-2013 12:13 AM

Thank you. I could get my expecting data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...