Solved: Searching a block of text for multiple values from...

El_Franco · ‎12-19-2023

I have an index set up that holds a number of fields, one of which is a comma separated list of reference numbers and I need to be able to search within this field via a dashboard.

This is fine for a single reference as we can just search within the field and on the parameter on the dashboard prefix/suffix with wildcards but for multiple values, which can be significant, I can not see a way of searching While I have looked at |split and In neither seem to provide what I need though that may be down to what I tried.

Example data:

Keys="272476, 272529, 274669, 714062, 714273, 845143, 851056, 853957, 855183"

I need to be able to enter in any number of keys, in any order, and find any records that contain ANY of the keys - not all of them in a set order. So for the above it should return if I search for (853957) or (855183, 714062) or (272476, 714062, 855183)

Is anyone able to point me towards a logical solution on this - it will be a key aspect of our use of SPLUNK to enable users to copy/paste a list of reference numbers and assess where these occur in our logs.

dtburrows3 · ‎12-19-2023

Doing some SPL like this may lead you in the right direction if I am understanding you question correctly.
Note: The top portion of this code is just generating sampe data, the meat of the solution is where the comments start ``` <comment> ```

| makeresults
    | eval
        input_value="83, 9123, 272529, 1234"
    | append
        [
            | makeresults
                | eval
                    input_value="851056, 714062, 6234, 91258,272476"
            ]
    | append 
        [
            | makeresults
                | eval
                    input_value="28, 10001, 18, 99923,1027385"
            ]
    ``` Generating field with the comma delimited list of Keys ```
    | eval
        Keys="272476, 272529, 274669, 714062, 714273, 845143, 851056, 853957, 855183"
    ``` Splitting both Keys and simulated user input fields into multivalued fields ```
    | eval
        mv_Keys=trim(split(Keys, ","), " "),
        mv_input_value=trim(split(input_value, ","), " ")
    ``` looping through each entry in a multivalue field 'mv_input_value' and checking if it exists in the list of Keys ```
    | eval
        intersecting_keys=case(
            isnull(mv_input_value), null(),
            mvcount(mv_input_value)==1, if('mv_input_value'=='mv_Keys', 'mv_input_value', null()),
            mvcount(mv_input_value)>1, mvmap(mv_input_value, if('mv_input_value'=='mv_Keys', 'mv_input_value', null()))
            )

Results show in the screenshot

You can split the comma delimited lists into MV fields and then loop through one of them to individually check if that number exists in another multivalued field. In this example I did this and created a new field 'intersecting_keys' to return the number that exist in both fields.

View solution in original post

El_Franco · ‎12-19-2023

And I have managed to solve it.. should have fetched a coffee before posting I guess.

So just needed to add a |Search and IN after the |Split

index="PreProduction" source="Transactions"
| eval KeysSplit=split(Keys,", ")
| search PKSSplit IN($ObjectRefs$)

I can then |table my results.

Hopefully this may be useful to someone else.

dtburrows3 · ‎12-19-2023

Doing some SPL like this may lead you in the right direction if I am understanding you question correctly.
Note: The top portion of this code is just generating sampe data, the meat of the solution is where the comments start ``` <comment> ```

| makeresults
    | eval
        input_value="83, 9123, 272529, 1234"
    | append
        [
            | makeresults
                | eval
                    input_value="851056, 714062, 6234, 91258,272476"
            ]
    | append 
        [
            | makeresults
                | eval
                    input_value="28, 10001, 18, 99923,1027385"
            ]
    ``` Generating field with the comma delimited list of Keys ```
    | eval
        Keys="272476, 272529, 274669, 714062, 714273, 845143, 851056, 853957, 855183"
    ``` Splitting both Keys and simulated user input fields into multivalued fields ```
    | eval
        mv_Keys=trim(split(Keys, ","), " "),
        mv_input_value=trim(split(input_value, ","), " ")
    ``` looping through each entry in a multivalue field 'mv_input_value' and checking if it exists in the list of Keys ```
    | eval
        intersecting_keys=case(
            isnull(mv_input_value), null(),
            mvcount(mv_input_value)==1, if('mv_input_value'=='mv_Keys', 'mv_input_value', null()),
            mvcount(mv_input_value)>1, mvmap(mv_input_value, if('mv_input_value'=='mv_Keys', 'mv_input_value', null()))
            )

Results show in the screenshot

You can split the comma delimited lists into MV fields and then loop through one of them to individually check if that number exists in another multivalued field. In this example I did this and created a new field 'intersecting_keys' to return the number that exist in both fields.

El_Franco · ‎12-19-2023

Thanks - that is a lot more detailed than my solution and I like the intersection - that will be useful for me to help people know what was in there - we often have hundreds of keys returned and to see which ones were retuned is really useful.

Thanks,

Steven

Searching a block of text for multiple values from a list.

subsearch

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio