Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to keyword search values in a lookup table without using field names

marycordova
SplunkTrust
SplunkTrust
‎02-06-2020 11:17 AM

Assume you have a lookup table and you want to load the lookup table and then search the lookup table for a value or values but you don't know which field/column the value(s) might be in in the lookup table.

How can you search the lookup table for the value(s) without defining every possible field=value combination in the search?

For example the following fails:

| inputlookup uid_host_ip_mac.csv 
| search myuserid OR myhostname OR myip OR mymac
| table _time uid host ip mac
| sort - _time

But the below would work:

| inputlookup uid_host_ip_mac.csv 
| search uid=myuserid OR uid=myhostname OR uid=myip OR uid=mymac OR host=myuserid OR host=myhostname OR host=myip OR host=mymac OR ip=myuserid OR ip=myhostname OR ip=myip OR ip=mymac OR mac=myuserid OR mac=myhostname OR mac=myip OR mac=mymac
| table _time uid host ip mac
| sort - _time

Obviously in this case I know which field=value pairs go together so I wouldn't in reality use all these possible combinations in this example, but if I didn't know which field=value pairs went together, how could I keyword search the lookup table like in the first example?

@marycordova
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marycordova
SplunkTrust
SplunkTrust
‎02-06-2020 11:21 AM

To search a lookup table with keyword values not tied to fields/columns (field=keyword) just add an artificial _raw event field:

| inputlookup uid_host_ip_mac_rolling.csv 
| eval _raw=tostring(mvjoin((mvappend('uid','host','ip,'mac'))," : "))
| search myuserid OR my-hostname OR myip OR mymac
| table _time uid host ip mac
| sort - _time

you can use any delimiter you want, it doesn't have to be a " : "
also the tostring might not be necessary...
| eval _raw=tostring(mvjoin((mvappend('uid','host','ip,'mac'))," : "))

@marycordova

View solution in original post

Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎02-06-2020 11:43 AM

this also sounds awesome and is sorta related 😛

https://answers.splunk.com/answers/685436/how-to-use-subsearch-without-a-field-name-but-just.html

@marycordova
0 Karma
Reply
Solved! Jump to solution
Solution

marycordova
SplunkTrust
SplunkTrust
‎02-06-2020 11:21 AM

To search a lookup table with keyword values not tied to fields/columns (field=keyword) just add an artificial _raw event field:

| inputlookup uid_host_ip_mac_rolling.csv 
| eval _raw=tostring(mvjoin((mvappend('uid','host','ip,'mac'))," : "))
| search myuserid OR my-hostname OR myip OR mymac
| table _time uid host ip mac
| sort - _time

you can use any delimiter you want, it doesn't have to be a " : "
also the tostring might not be necessary...
| eval _raw=tostring(mvjoin((mvappend('uid','host','ip,'mac'))," : "))

@marycordova
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...