Splunk Search

Search Using Lookup with Multiple Search Terms for the Same Field

stauff
Explorer

Hello All.

I am trying to use a lookup to perform a tstats search against a data model, where I want multiple search terms for the same field.  However, I cannot get this to work as desired.  I have an example below to show what is happening, and what I'm trying to achieve.

I have a lookup file named search_terms.csv:

process_execprocessprocess
someexe.exe*param1**param2*

 

Given this lookup file, here is the expanded search I am trying to achieve:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest

 

Here is the first search I tried:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest

 

However, expanding this search leads to the second process column being ignored:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1*) by Processes.dest

 

Since this did not work, I tried editing the lookup file to look like this:

process_execprocess
someexe.exe*param1*|||*param2*

 

Then I used makemv to make the process field multivalue:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | makemv delim="|||" process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest

 

However, this search expanded lead to an "OR" being used for the 2 process query values, instead of an "AND":

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND (Processes.process=*param1* OR Processes.process=*param2*)) by Processes.dest

 

Does anyone know of a method to create a search using a lookup that would lead to my desired search of:

 

| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest

 

 

 

 

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Check out the format command.  It lets you change how the result of the subsearch is formatted, including replacing OR with AND.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

stauff
Explorer

This is exactly what I needed, thank you!  I was able to append the following to my subsearch to get the desired result:

| format mvsep="AND"

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check out the format command.  It lets you change how the result of the subsearch is formatted, including replacing OR with AND.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!