- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Use of Lookup with search query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use of Lookup with search query
Hi, I need some help related to a search query. My search query has a field called "holdings" which contain data like this -
"U14355|U114576|D105994". And i have a lookup with 600 unique codes like D123456, D876845 etc. (All starts with D)
Now I want to search only those events where one of the holdings also present in the lookup values.
For example - event with holdings as "U14355|U114576|D105994" should only return if D105994 is also present in the lookup.
Any help is much appreciated. Below query is obviously wrong -
index=test sourcetype="test_logs" "Customer Cart:"
| rex field=_raw "holdings = \'{(?[^}]+)}\'"
| join holdings [| inputlookup codes.csv]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way to do it:
| makeresults
| eval holdings="U14355|U114576|D105994"
| makemv delim="|" holdings
| mvexpand holdings
This breaks up your holdings field into 3 separate events that can be compared against the field in your lookup.
In your case, it would look something like:
index=test sourcetype="test_logs" "Customer Cart:"
| rex field=_raw "holdings \= \'{(?[^}]+)}\'"
| makemv delim="|" holdings
| mvexpand holdings
| lookup codes.csv (column) AS holdings
Where (column) is the column in your CSV that has the code you're looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jpolvino Thank you for your response. mvexpand increases the eventcount. What i need is only unique sessions. Can i do dedup uniqueID after this. Will it be valid?
Also this lookup command has to be supplied with OUTPUT fields. what should i write there? I only have one field in the lookup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to preserve the event count for your holdings field, then use a temp field like n:
index=test sourcetype="test_logs" "Customer Cart:"
| rex field=_raw "holdings = \'{(?[^}]+)}\'"
| eval n=split(holdings,"|")
| mvexpand n
| lookup codes.csv (column) AS n OUTPUT (field you want to see)
At the end just list the field you want to see as output.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
