Hello, I just started a new position where I've inherited management of large queries that need to be updated periodically. They typically involve having regexes matching on a field and applying a la...
See more...
Hello, I just started a new position where I've inherited management of large queries that need to be updated periodically. They typically involve having regexes matching on a field and applying a label to them. One involves a huge case statement: | eval label=case(match(field,"regex1",label1),match(field,"regex2",label2),match(field,"regex3",label3)...) The regex is updated regularly, hence me wanting to make this more manageable. My first thought was to use a lookup table with the regex & label but I'm open to other suggestions. I did find https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-regex-query-in-a-CSV and have been able to use regex in the lookup table with a search that was suggested in the solution: | where
[| inputlookup regexlookup.csv
| eval matcher="match(subject,\"".regex."\")"
| stats values(matcher) as search
| eval search=mvjoin(search. " OR ")] But I'm wondering how to also apply the label to the results with a lookup like this: regex,label regex1,label1 regex2,label2 Thanks in advance.