Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to match arbitrary fields in inputlookup

yuanliu
SplunkTrust
SplunkTrust
‎02-25-2022 06:43 PM

With events, I can do

 

 

 

| search index=foo *bar*

 

 

 

This will match any event containing the string "bar" regardless where it appears.  But with |inputlookup, this will not work.

I can work around it using foreacch.  But it looks rather labored.

 

 

 

| inputlookup mylookup
| foreach * 
    [| search <<FIELD>>=*bar*]

 

 

 

Is this the best way?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-25-2022 11:10 PM

Hi @yuanliu,

it runs on indexes because you have the _raw field and when you run a full text search it's the same thing that you run "_raw=*bar*", but in a lookup you don't have the _raw so it doesn't run.

If you want to search a word in all the fields of your lookup, you have to recreate the _raw:

| inputlookup mylookup
| eval _raw=field 1." ".field2." ".field3." ".field4
| search _raw="*bar*"

maybe it's easier to use a summary index instead of a lookup.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-25-2022 11:10 PM

Hi @yuanliu,

it runs on indexes because you have the _raw field and when you run a full text search it's the same thing that you run "_raw=*bar*", but in a lookup you don't have the _raw so it doesn't run.

If you want to search a word in all the fields of your lookup, you have to recreate the _raw:

| inputlookup mylookup
| eval _raw=field 1." ".field2." ".field3." ".field4
| search _raw="*bar*"

maybe it's easier to use a summary index instead of a lookup.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎02-26-2022 10:28 AM

Thanks for the suggestion!  My lookup changes so infrequently (and is not super large) that it is perhaps not worth the summary.  But it is definitely a path for more intense use cases.

0 Karma
Reply
Solved! Jump to solution

m_pham
Splunk Employee
Splunk Employee
‎02-25-2022 07:30 PM

You just do this:

 

| inputlookup my_lookup
| search field=*value*

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎02-26-2022 10:37 AM

@m_pham Yes, I can search any individual field.  Usually lookups would not contain freehand text in more than one field.  This peculiar one has several freehand fields that I want to give a lazy search option.

The foreach method in my OP does the job.  But it feels silly to use heavy artillery for what looks really simple when _raw exists.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...