Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I unable to search with string tokens against two fields on an lookup?

POR160893
Builder
‎05-25-2023 01:59 AM

Hi,

I have a dashboard where the data is coming from a lookup called "ABC" which has 2 fields called "src_ip" and "dest_ip", respectively.

On the same dashboard, I now need to add a textbook such that a user inputs 1 or more IP addresses, searches against BOTH the "src_ip" and "dest_ip" fields on the lookup, and this filters the final results on the dashboard.

 

The issue I am having is all the IP address are string values and I am having trouble refining the search as this is the error I am currently getting:
 Error in 'where' command: The expression is malformed. An unexpected character is reached at '*) OR like(dest_ip,*)'.

So, a search like this works for me:
| inputlookup ABC
| where like (dest_ip,"10.175.96.146 10.175.96.147 10.175.96.148 10.175.96.149 10.175.96.150 10.175.96.183").

 

I am unable to search against both these "src_ip" and "dest_ip" when using a token though for an input like this:
<query>| inputlookup ABC
| where like(src_ip,$srcip_tok$) OR like(dest_ip,$srcip_tok$)
</query>

 

Can you please help?

Thanks as always

Labels (5)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-25-2023 02:28 AM

Try with token filters

| where like(src_ip,$srcip_tok|s$) OR like(dest_ip,$srcip_tok|s$)

 

0 Karma
Reply

POR160893
Builder
‎05-25-2023 02:38 AM

Hi,

This doesn't work.

When I input "10.105.12.19" as the input, it generates no results and the resulting search is as follows:
| inputlookup firewall_rule_owner
| where like(src_ip,"10.105.12.19") OR like(dest_ip,"10.105.12.19")

When I input multiple IP addresses as the input (comma separated) i.e. 10.105.12.19, 10.175.96.146, I also generate no results and the resulting search is:
| inputlookup firewall_rule_owner
| where like(src_ip,"10.105.12.19, 10.175.96.146") OR like(dest_ip,"10.105.12.19, 10.175.96.146")

 

Finally, when I input nothing and the dashboard runs on the default  text field value *, I generate no results with the search:
| inputlookup firewall_rule_owner
| where like(src_ip,"*") OR like(dest_ip,"*")


I need all 3 instances to work for the stakeholder. Can you please help?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...