Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using LOOKUP to insert a Regex string - is it possible?

ipicbc
Explorer
‎04-10-2017 03:28 AM

I want to insert a different regex string into my query for each host. I am thinking that a way to achieve this is by making a lookup into a CSV to retrieve the regex string, allocating to a new field, and then inserting it further on in the query.

Is this possible or ridiculous?

Thanks for your advice

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-10-2017 06:34 AM

That's entirely possible. Say your lookup looks like this:

host,expression
A,foo
B,bar

Add your lookup to your data as automatic, and search like this:

base search | where match(some_field, expression)

That would filter to only keep events where the host-based expression matches some_field.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-10-2017 12:18 PM

expression is the field produced by the automatic lookup.

0 Karma
Reply

ipicbc
Explorer
‎04-10-2017 09:28 AM

Thanks. How would I get the regex statement into expression?

0 Karma
Reply
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...