Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

searching a lookup table with multiple values in a field

raysonjoberts
Path Finder
‎08-20-2021 06:58 AM

I have a csv file that that I am using for a lookup which has multiple values in a particular field. I am trying to do a lookup which matches any one of the field values.

example:

lookup table file -
room,color
livingroom,purple|green|yellow

(the pipe symbol delineates the different values in the color field)

Then my search -


<base search> 
| lookup paint_colors room OUTPUTNEW color
| search color=purple
| fields room,color
| stats list by room


My desired result would be to see livingroom in the results. Is it possible to search for any one value in a field with multiple values?

Thanks in advance!


 

 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-20-2021 08:28 AM 
<base search> 
| lookup paint_colors room OUTPUTNEW color
| eval match=if(match(room_color,color),"matched",null())
| where match="matched"
| fields room,color
| stats list by room
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-20-2021 08:09 AM

@raysonjoberts 

Try where for searching

| where like(color,"%purple%")

 

KV

Reply

raysonjoberts
Path Finder
‎08-20-2021 08:26 AM

Thanks KV. 
I think I have over simplified my question.
What I am really after is for each value in the lookup table field to be recognized as individual values and not a single string. So for example, a different search might be

<base search>
| lookup paint_colors room OUTPUTNEW color
| stats count by room,color

And my desired outcome would be

livingroom purple 1
livingroom green 1
livingroom yellow 1

 

 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-20-2021 08:29 AM

@raysonjoberts 

try this

<base search>
| lookup paint_colors room OUTPUTNEW color
| where like(color,"%purple%") 
| eval color=split(color,"|")
| stats count by room,color

KV

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...