Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search multiple value on the same field

BunnyHop
Contributor
‎03-18-2010 08:37 PM

I have a regex that searches for different types of value on a field:

  • | regex _raw="FIELD=(value1|value2|value3)"

However this search is painfully slow. How can you perform this search on the indexed data without creating a very long search string like the below:

SEARCH FIELD="value1" OR FIELD="value2" OR FIELD="value3"

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 12:09 AM

You create the long search string. You can create the long search string indirectly via a subsearch though, which can load a file:

[ inputlookup mylist.csv | fields MYFIELDNAME | format ]

The file mylist.csv must be in the app lookups folder (probably etc/apps/search/lookups) and must be a CSV file with at least 1 column named MYFIELDNAME, one value per line. You can also generate the lookups from search results using outputlookup if that is the source of your values.

Update:

With just a little more work, you can also configure a lookup that maps MYFIELDNAME values to a "groupname", and if you then configure automatic lookups against MYFIELDNAME, then you can just add groupname="group" to the query and Splunk will automatically perform the equivalent of expanding the search string for every MYFIELDNAME value in the lookup table where groupname is mapped to group.

View solution in original post

Reply
Solved! Jump to solution

oreoshake
Communicator
‎03-19-2010 12:12 AM

Yeah it's painfully slow because the data is filtered AFTER the search has run. I'd just write a little script that expands it out for you on your local machine. Splunk 4.0.10 recently removed the cap or OR clauses which might be good for you.

ruby:

ARGV[0].sub('|', ' or host=')

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 12:09 AM

You create the long search string. You can create the long search string indirectly via a subsearch though, which can load a file:

[ inputlookup mylist.csv | fields MYFIELDNAME | format ]

The file mylist.csv must be in the app lookups folder (probably etc/apps/search/lookups) and must be a CSV file with at least 1 column named MYFIELDNAME, one value per line. You can also generate the lookups from search results using outputlookup if that is the source of your values.

Update:

With just a little more work, you can also configure a lookup that maps MYFIELDNAME values to a "groupname", and if you then configure automatic lookups against MYFIELDNAME, then you can just add groupname="group" to the query and Splunk will automatically perform the equivalent of expanding the search string for every MYFIELDNAME value in the lookup table where groupname is mapped to group.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 01:58 PM

Sorry but "local" I mean the Splunk search server, not your client workstation.

Reply
Solved! Jump to solution

arungeorge09
Path Finder
‎02-02-2015 05:24 AM

How do I construct a query with this.?

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 01:58 PM

The external source is a file on the local machine. It will be fast.

Reply
Solved! Jump to solution

BunnyHop
Contributor
‎03-19-2010 12:08 PM

This seems to look at values from an external source, correct? Is this more efficient?

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...