How to extract a field value to use as a search te...

pewaubek_reid · ‎12-13-2016

Hello,

I need a way to extract/convert a field value to a search condition.

Example:

field_value= "src_ip=192.168.1.1 AND user=Disco"
Search: mysearch NOT 'field_value' ---> which should translate to ---> mysearch NOT (src_ip=192.168.1.1 AND user=Disco)

I know the single quotes don't work. I am wondering if there is any function that helps.

Thanks!

nabeel652 · ‎12-13-2016

yoursearch | eval field_value="some value or and expression" | where another_field != $field_value$

pewaubek_reid · ‎12-14-2016

The problem with this is that it is still comparing fields and their respective values. The value(s) of 'field_value' can be any combination of field=value and would be dynamic, therefore defining a new field_value using eval wouldn't be efficient as I'd have to account for every possible field=value combination. I think the optimal situation here is to be able to "break out" 'field_value' and insert it into the search string. I would imagine a token + subsearch would work but I can't find a way to use a token inline in a search.

somesoni2 · ‎12-13-2016

Is the values of "field_value" always similar, means your search condition is always on same fields src_ip and user?

pewaubek_reid · ‎12-13-2016

No. It would be dynamic and could be any combination of field=values.

somesoni2 · ‎12-14-2016

I may have a workaround if the condition is always in format "field1=value1 AND field2=value2....". Is that the case (all conditions are conjoined by 'AND')?

pewaubek_reid · ‎12-14-2016

The condition can be in any combination of field=value so just "field1=value1" or "field1=value1 AND field2=value2 OR field3=value3"... The fields and values would exist independently in the base search, but not the new field containing the field=value pairs/combinations. That's why I'm trying to find a way to change the field=value pairs/combinations from a field value into a search condition/string. Thanks for your attention, any ideas are welcome.

somesoni2 · ‎12-14-2016

The field which contains the search condition is available in the raw data of base search(es) itself?

pewaubek_reid · ‎12-14-2016

Nope, the new field which I am populating with the dynamic field=value combinations doesn't exist in the raw data. The individual fields & values would exist which is why I need to insert them into the search query. I don't think that would matter anyway as I'm not trying to match field values, I'm trying to insert field=values combinations into search string.

somesoni2 · ‎12-14-2016

How are you populating the field which contains the search condition?
It wouldn't have helped if it was part of raw data, but if you're using a lookup OR something get that, there might be a way.

pewaubek_reid · ‎12-14-2016

Gotcha. I am using a lookup. The field_value will be dynamically populated with various field=value combinations.

somesoni2 · ‎12-14-2016

Would you mind providing your search, which includes the lookup command?

pewaubek_reid · ‎12-14-2016

I have a search that doesn't work. Open to ideas...

some_events some_sourcetype NOT [|inputlookup some_lookup.csv]

pewaubek_reid · ‎12-14-2016

I received an email alert for another comment here but it isn't showing up. Here it is quoted;

"Try something like this

some_events some_sourcetype NOT [|inputlookup some_lookup.csv | eval search=field_that_contains_conditions | table search ]"

I believe this is just renaming my field in the lookup table to 'search' not actually creating search conditions from the field value. I couldn't find an eval function called "search".

somesoni2 · ‎12-14-2016

Try something like this

some_events some_sourcetype NOT [|inputlookup some_lookup.csv | eval search=field_that_contains_conditions | table search ]

How to extract a field value to use as a search term for filtering?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life