Hello Splunkers, I’m looking for the best algorithm to search for events. with the below criteria. I have a lookup with only one field but multi-valued. About 10000 lines, for example, “vatsal, jagani” “10.0.0.1,“10.0.0.2” I want to search index=abc, for the last 2 hours (about 50 events) to see if there are at least two events (but can be more) that contain words from one set. For example. event-1 - “hello, I’m Vatsal. event-2 - “hello, I’m jagani too.” here, two events have matching words from the same lookup field. Another example, event-3 - “hi, vatsal” event-4 - “hello, vatsal” this also considers matching. And I want to run this alert every hour. Solution-1 - I could use the map command as below but I don't think that's very efficient. | inputlookup words_lookup.py
| eval or_field = <convert words to or list like "vatsal" OR "jagani">
| map max_count=1000000 "search index=abc $or_field$" Solution-2 - I could write a Python script, but I'm not sure what algorithm to use. I'm looking for a more efficient query or python algorithm to do this efficiently.
... View more
