Splunk Search

How to save search results as a variable to then search against a lookup table?

splunker1981
Path Finder

Hello all,

I am trying to figure out how to save the results from a search and then check if they exist in my lookup table. I've tried a bunch of things, but don't seem to get the correct results back. What I am doing is running a search using a regex to save to a fieldname called searchString. The field returns about 1200 items when I run |table searchString. I want to use the data stored in the fieldName searchString and then see if there's a match for that string in my lookup file. When I use eval and set a known string to test the search below, it works fine and I get a match. When I use the same search, but instead of using eval to set the searchString, I don't get anything back. Not sure what I am doing wrong, any help would be greatly appreciated.

This works for testing:

  | stats count | fields - count | eval searchString="testString123test" | lookup masterStringList.csv strings

This one does not work when using it as part of a search result although I testString123test was added and should match.

  searchHere | dedup searchString | stats count | fields - count | lookup masterStringList.csv string
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

your base search | stats count by searchString | fields - count  | lookup masterStringList.csv lookupFileFieldname as searchString
0 Karma

splunker1981
Path Finder

This gets me a little closer, however the query seems to print every single record in the lookupFile and add if a match is found it populates an additional column with the headers from the lookupfile. Is there a way to just show matches and not everything in the lookupFile?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...