Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to match arbitrary fields in inputlookup

yuanliu
SplunkTrust
SplunkTrust
‎02-25-2022 06:43 PM

With events, I can do

 

 

 

| search index=foo *bar*

 

 

 

This will match any event containing the string "bar" regardless where it appears.  But with |inputlookup, this will not work.

I can work around it using foreacch.  But it looks rather labored.

 

 

 

| inputlookup mylookup
| foreach * 
    [| search <<FIELD>>=*bar*]

 

 

 

Is this the best way?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-25-2022 11:10 PM

Hi @yuanliu,

it runs on indexes because you have the _raw field and when you run a full text search it's the same thing that you run "_raw=*bar*", but in a lookup you don't have the _raw so it doesn't run.

If you want to search a word in all the fields of your lookup, you have to recreate the _raw:

| inputlookup mylookup
| eval _raw=field 1." ".field2." ".field3." ".field4
| search _raw="*bar*"

maybe it's easier to use a summary index instead of a lookup.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-25-2022 11:10 PM

Hi @yuanliu,

it runs on indexes because you have the _raw field and when you run a full text search it's the same thing that you run "_raw=*bar*", but in a lookup you don't have the _raw so it doesn't run.

If you want to search a word in all the fields of your lookup, you have to recreate the _raw:

| inputlookup mylookup
| eval _raw=field 1." ".field2." ".field3." ".field4
| search _raw="*bar*"

maybe it's easier to use a summary index instead of a lookup.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎02-26-2022 10:28 AM

Thanks for the suggestion!  My lookup changes so infrequently (and is not super large) that it is perhaps not worth the summary.  But it is definitely a path for more intense use cases.

0 Karma
Reply
Solved! Jump to solution

m_pham
Splunk Employee
Splunk Employee
‎02-25-2022 07:30 PM

You just do this:

 

| inputlookup my_lookup
| search field=*value*

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎02-26-2022 10:37 AM

@m_pham Yes, I can search any individual field.  Usually lookups would not contain freehand text in more than one field.  This peculiar one has several freehand fields that I want to give a lazy search option.

The foreach method in my OP does the job.  But it feels silly to use heavy artillery for what looks really simple when _raw exists.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...