Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using LOOKUP to insert a Regex string - is it possible?

ipicbc
Explorer
‎04-10-2017 03:28 AM

I want to insert a different regex string into my query for each host. I am thinking that a way to achieve this is by making a lookup into a CSV to retrieve the regex string, allocating to a new field, and then inserting it further on in the query.

Is this possible or ridiculous?

Thanks for your advice

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-10-2017 06:34 AM

That's entirely possible. Say your lookup looks like this:

host,expression
A,foo
B,bar

Add your lookup to your data as automatic, and search like this:

base search | where match(some_field, expression)

That would filter to only keep events where the host-based expression matches some_field.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-10-2017 12:18 PM

expression is the field produced by the automatic lookup.

0 Karma
Reply

ipicbc
Explorer
‎04-10-2017 09:28 AM

Thanks. How would I get the regex statement into expression?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...