×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
hFHUT2
Engager
Member since: ‎04-07-2021
‎04-08-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-07-2021
View All

Re: How to know which value from lookup table matc...

by in Splunk Search
‎04-08-2021 04:58 AM
‎04-08-2021 04:58 AM
I really like your wildcard lookup table suggestion. It seems like the cleanest fit for what I'm trying to do. I need to have someone enable that wildcard option on the KV Store I'm using so that I can give it a shot. However, for your first suggestion, I'm unclear as to how I would actually make that work. In your example, you have three separate "rex" commands, but I'm not sure how to make that work with the lookup table... I would need to somehow automatically add those into the search for every value in the lookup table, which is a lot of them. I'll report back when I have that set up so that I can potentially mark your answer as accepted. Thanks! Edit: I got the WILDCARD setting enabled, and it works beautifully! Thank you so much! I didn't realize that was an option. ... View more

How to know which value from lookup table matched ...

by in Splunk Search
‎04-07-2021 02:06 PM
‎04-07-2021 02:06 PM
I have a lookup table that has a list of values in it similar to: id value 1 test_value1 2 test_value2   I can search for all logs that have any of these values in them by doing: index=blah sourcetype=blah [|inputlookup test_values | rename value AS search | fields search | format] This creates a search such as: index=blah sourcetype=blah ( ( "test_value1" ) OR ( "test_value2" ) ) What I'm trying to figure out is how to know which value from the lookup table was responsible for matching each log. However, because I'm not searching for the values in any particular field in the logs, and the fact that the lookup table values might be substrings of a larger value in the logs, I don't think I can use "| lookup" in order to match back to the lookup table. Put another way that doesn't even necessarily need to involve a lookup table, if you had this search: index=blah sourcetype=blah *this* OR *that* Is there any way to create a new field within the matching logs that would contain either the string "this" or "that" depending on which one was the cause of the match? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-08-2021 05:09 PM