I have an index set up that holds a number of fields, one of which is a comma separated list of reference numbers and I need to be able to search within this field via a dashboard.
This is fine for a single reference as we can just search within the field and on the parameter on the dashboard prefix/suffix with wildcards but for multiple values, which can be significant, I can not see a way of searching While I have looked at |split and In neither seem to provide what I need though that may be down to what I tried.
Example data:
Keys="272476, 272529, 274669, 714062, 714273, 845143, 851056, 853957, 855183"
I need to be able to enter in any number of keys, in any order, and find any records that contain ANY of the keys - not all of them in a set order. So for the above it should return if I search for (853957) or (855183, 714062) or (272476, 714062, 855183)
Is anyone able to point me towards a logical solution on this - it will be a key aspect of our use of SPLUNK to enable users to copy/paste a list of reference numbers and assess where these occur in our logs.
Doing some SPL like this may lead you in the right direction if I am understanding you question correctly.
Note: The top portion of this code is just generating sampe data, the meat of the solution is where the comments start ``` <comment> ```
| makeresults
| eval
input_value="83, 9123, 272529, 1234"
| append
[
| makeresults
| eval
input_value="851056, 714062, 6234, 91258,272476"
]
| append
[
| makeresults
| eval
input_value="28, 10001, 18, 99923,1027385"
]
``` Generating field with the comma delimited list of Keys ```
| eval
Keys="272476, 272529, 274669, 714062, 714273, 845143, 851056, 853957, 855183"
``` Splitting both Keys and simulated user input fields into multivalued fields ```
| eval
mv_Keys=trim(split(Keys, ","), " "),
mv_input_value=trim(split(input_value, ","), " ")
``` looping through each entry in a multivalue field 'mv_input_value' and checking if it exists in the list of Keys ```
| eval
intersecting_keys=case(
isnull(mv_input_value), null(),
mvcount(mv_input_value)==1, if('mv_input_value'=='mv_Keys', 'mv_input_value', null()),
mvcount(mv_input_value)>1, mvmap(mv_input_value, if('mv_input_value'=='mv_Keys', 'mv_input_value', null()))
)
Results show in the screenshot
You can split the comma delimited lists into MV fields and then loop through one of them to individually check if that number exists in another multivalued field. In this example I did this and created a new field 'intersecting_keys' to return the number that exist in both fields.
And I have managed to solve it.. should have fetched a coffee before posting I guess.
So just needed to add a |Search and IN after the |Split
index="PreProduction" source="Transactions"
| eval KeysSplit=split(Keys,", ")
| search PKSSplit IN($ObjectRefs$)
I can then |table my results.
Hopefully this may be useful to someone else.
Doing some SPL like this may lead you in the right direction if I am understanding you question correctly.
Note: The top portion of this code is just generating sampe data, the meat of the solution is where the comments start ``` <comment> ```
| makeresults
| eval
input_value="83, 9123, 272529, 1234"
| append
[
| makeresults
| eval
input_value="851056, 714062, 6234, 91258,272476"
]
| append
[
| makeresults
| eval
input_value="28, 10001, 18, 99923,1027385"
]
``` Generating field with the comma delimited list of Keys ```
| eval
Keys="272476, 272529, 274669, 714062, 714273, 845143, 851056, 853957, 855183"
``` Splitting both Keys and simulated user input fields into multivalued fields ```
| eval
mv_Keys=trim(split(Keys, ","), " "),
mv_input_value=trim(split(input_value, ","), " ")
``` looping through each entry in a multivalue field 'mv_input_value' and checking if it exists in the list of Keys ```
| eval
intersecting_keys=case(
isnull(mv_input_value), null(),
mvcount(mv_input_value)==1, if('mv_input_value'=='mv_Keys', 'mv_input_value', null()),
mvcount(mv_input_value)>1, mvmap(mv_input_value, if('mv_input_value'=='mv_Keys', 'mv_input_value', null()))
)
Results show in the screenshot
You can split the comma delimited lists into MV fields and then loop through one of them to individually check if that number exists in another multivalued field. In this example I did this and created a new field 'intersecting_keys' to return the number that exist in both fields.
Thanks - that is a lot more detailed than my solution and I like the intersection - that will be useful for me to help people know what was in there - we often have hundreds of keys returned and to see which ones were retuned is really useful.
Thanks,
Steven