cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
warren
Explorer
Member since: ‎11-15-2023
‎11-15-2023
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎11-15-2023
Activity Feed
View All

inputlookup with fuzzy matching

by in Splunk Search
‎11-15-2023 05:22 AM
‎11-15-2023 05:22 AM
Hello, I'm building a query which matches entries in an inputlookup table against a set of log data. The original working query (thanks to @ITWhisperer ) is: dataFeedTypeId=AS [ | inputlookup approvedsenders | fields Value | rename Value as sender] | stats count as cnt_sender by sender | append [inputlookup approvedsenders | fields Value | rename Value as sender] | fillnull cnt_sender | stats sum(cnt_sender) as count BY sender This is correctly providing a list of all of the emails address entries in the lookup file with the number of times they occur in the email address field (sender) of the dataset. However, the "Value" field from the lookup file may contain an email address, an IP address, or a domain name: "Value,description,spoof,spam,heuristic,newsletter training.cloud@bob,Email Tests,Y,Y,Y,Y mk.mimecast.com,mimecast emails,Y,Y,Y,Y blah@yahoo.com,more belgrat,Y,Y,Y,Y bbc.co.uk,BBC sends me lots of useful information,N,Y,Y,Y 81.96.24.195,test IP,Y,Y,Y,Y yahoo.com, Yahoo domain,Y,Y,Y,Y" What I need to do next is to widen the search, at the moment it is doing an exact match on the sender field and I need the entries in the lookup file to be used against a number of fields in the log data. Examples: This query seems to provide the correct results but it does not show the null values as above(n.b. the return 1000 isn't optimal code, I'd prefer it to simply return all of the results): dataFeedTypeId=AS [| inputlookup approvedsenders | fields Value | return 1000 $Value] | stats count as cnt_sender by sender This query also provides the correct results but again does not show the null values (there is no domain field in the log data, I am using an app to extract it from the sender field) dataFeedTypeId=AS | rex field=sender "\@(?<domain_detected>.*)" | eval list="mozilla" | `ut_parse_extended(domain_detected, list)` | lookup approvedsenders Value AS domain_detected OUTPUTNEW description Value | lookup approvedsenders Value AS sender OUTPUTNEW description Value | lookup approvedsenders Value AS senderIp OUTPUTNEW description Value | search description="*" | table subject sender domain_detected senderIP description Value | lookup approvedsenders description OUTPUTNEW Value as Matched | stats count by Matched   My apologies for the long question, thank you for taking the time to read this far. ... View more
Labels

Re: inputlookup - count of values including Null

by in Splunk Search
‎11-15-2023 03:57 AM
‎11-15-2023 03:57 AM
@ITWhisperer Thank you so much, that has returned the results I was expecting.  ... View more

Re: inputlookup - count of values including Null

by in Splunk Search
‎11-15-2023 03:29 AM
‎11-15-2023 03:29 AM
@ITWhisperer at the moment it is just a simple lookup, there are values in the table which match the log data exactly. The first example does return the correct results (without the null values). Value is the information from the lookup file.  sender is the information from the main dataset cnt_sender is a variable used within the code Is that how it should be? ... View more

inputlookup - count of values including Null

by in Splunk Search
‎11-15-2023 02:49 AM
‎11-15-2023 02:49 AM
Hello, I have a lookup file and I would like to use it to search a dataset and return a table showing each entry in the lookup file with a count of their number of matches in the main dataset including displaying the entries from the lookup file which have a null value.   I've tried a number of techniques, the closet I have come is: dataFeedTypeId=AS [| inputlookup approvedsenders | fields Value | return 1000 $Value] | stats count as cnt_sender by sender But this only shows the lookup fileentries with non-zero values (n.b. I am manually adding 1000 to the return to make it work, that's a different problem) I have also tried: dataFeedTypeId=AS [ | inputlookup approvedsenders | fields Value] | stats count as cnt_sender by Value | append [ inputlookup approvedsenders | fields Value] | fillnull cnt_sender | stats sum(cnt_sender) as count BY Value This shows all the values in the lookup file but shows a zero count against each one.  Thank you in advance.   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-15-2023 10:53 PM
Karma given to
View All