Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use of Lookup with search query

Shashank_87
Explorer
‎08-05-2019 02:46 AM

Hi, I need some help related to a search query. My search query has a field called "holdings" which contain data like this -
"U14355|U114576|D105994". And i have a lookup with 600 unique codes like D123456, D876845 etc. (All starts with D)
Now I want to search only those events where one of the holdings also present in the lookup values.
For example - event with holdings as "U14355|U114576|D105994" should only return if D105994 is also present in the lookup.
Any help is much appreciated. Below query is obviously wrong -

index=test sourcetype="test_logs" "Customer Cart:"
| rex field=_raw "holdings = \'{(?[^}]+)}\'"
| join holdings [| inputlookup codes.csv]

0 Karma
Reply

jpolvino
Builder
‎08-05-2019 05:17 AM

One way to do it:

| makeresults
| eval holdings="U14355|U114576|D105994"
| makemv delim="|" holdings
| mvexpand holdings

This breaks up your holdings field into 3 separate events that can be compared against the field in your lookup.

In your case, it would look something like:

index=test sourcetype="test_logs" "Customer Cart:"
| rex field=_raw "holdings \= \'{(?[^}]+)}\'" 
| makemv delim="|" holdings
| mvexpand holdings
| lookup codes.csv (column) AS holdings

Where (column) is the column in your CSV that has the code you're looking for.

0 Karma
Reply

Shashank_87
Explorer
‎08-05-2019 06:15 AM

@jpolvino Thank you for your response. mvexpand increases the eventcount. What i need is only unique sessions. Can i do dedup uniqueID after this. Will it be valid?

Also this lookup command has to be supplied with OUTPUT fields. what should i write there? I only have one field in the lookup.

0 Karma
Reply

jpolvino
Builder
‎08-05-2019 06:37 AM

If you want to preserve the event count for your holdings field, then use a temp field like n:
index=test sourcetype="test_logs" "Customer Cart:"
| rex field=_raw "holdings = \'{(?[^}]+)}\'"
| eval n=split(holdings,"|")
| mvexpand n
| lookup codes.csv (column) AS n OUTPUT (field you want to see)
At the end just list the field you want to see as output.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...