Hello!
I've been looking around for an answer to this one, either it eludes me or I'm straight up asking the wrong question.
I'm trying to create a hideous search utilizing the where like functions.
My search currently looks similar to this:
index="someindex" | lookup somelookup.csv LookupField as EventField output LookupField | search NOT LookupField=* |
where like(EventField,"%ext") OR like(EventField,"t%xt") OR like(EventField,"te%t") OR like(EventField,"tex%") | further transforming etc
What I''m looking to achieve and make my life a little easier and potentially a better search all round is where the text within the like function is replaced with text brought in from a lookup, as far as i can tell this is not possible which means creating lots of similar searches .
If anyone can point me in the right direction that'd be grand or have another approach to this search.
Thanks in advance!
Try this:
index="someindex"
[|inputlookup YourLookupHere
| format "(" "like(" "OR" ")" "OR" ")"
| rex field=search mode=sed "s/=/,/g"]
Would a wildcard-based lookup from a lookup table work for you? You can save values like *test*
in your lookup table and then define the lookup as matchtype WILDCARD. See this question for an example: https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html.
You can do this either through the back end or in the GUI.
Have you tried 'replace' to replace the string? https://docs.splunk.com/Documentation/SplunkCloud/7.2.4/SearchReference/Replace
Also, you can use where match() to match a regex pattern to check.