Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to match arbitrary fields in inputlookup

yuanliu
SplunkTrust
SplunkTrust
‎02-25-2022 06:43 PM

With events, I can do

 

 

 

| search index=foo *bar*

 

 

 

This will match any event containing the string "bar" regardless where it appears.  But with |inputlookup, this will not work.

I can work around it using foreacch.  But it looks rather labored.

 

 

 

| inputlookup mylookup
| foreach * 
    [| search <<FIELD>>=*bar*]

 

 

 

Is this the best way?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-25-2022 11:10 PM

Hi @yuanliu,

it runs on indexes because you have the _raw field and when you run a full text search it's the same thing that you run "_raw=*bar*", but in a lookup you don't have the _raw so it doesn't run.

If you want to search a word in all the fields of your lookup, you have to recreate the _raw:

| inputlookup mylookup
| eval _raw=field 1." ".field2." ".field3." ".field4
| search _raw="*bar*"

maybe it's easier to use a summary index instead of a lookup.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-25-2022 11:10 PM

Hi @yuanliu,

it runs on indexes because you have the _raw field and when you run a full text search it's the same thing that you run "_raw=*bar*", but in a lookup you don't have the _raw so it doesn't run.

If you want to search a word in all the fields of your lookup, you have to recreate the _raw:

| inputlookup mylookup
| eval _raw=field 1." ".field2." ".field3." ".field4
| search _raw="*bar*"

maybe it's easier to use a summary index instead of a lookup.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎02-26-2022 10:28 AM

Thanks for the suggestion!  My lookup changes so infrequently (and is not super large) that it is perhaps not worth the summary.  But it is definitely a path for more intense use cases.

0 Karma
Reply
Solved! Jump to solution

m_pham
Splunk Employee
Splunk Employee
‎02-25-2022 07:30 PM

You just do this:

 

| inputlookup my_lookup
| search field=*value*

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎02-26-2022 10:37 AM

@m_pham Yes, I can search any individual field.  Usually lookups would not contain freehand text in more than one field.  This peculiar one has several freehand fields that I want to give a lazy search option.

The foreach method in my OP does the job.  But it feels silly to use heavy artillery for what looks really simple when _raw exists.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...