Solved: Lookup table to many search queries

Accak · ‎02-28-2017

I have lookup table like this:

locationOrFunction, asset_id
London,Application for one;Application for two;Application for three;Appfor HR 
Jakarta,Application for one
Lausanne, Application for two;LBPF*;Application for three;
Monako, Application for *

I want to get something like this:

locationOrFunction, asset_id
London, "Application for one" OR "Application for two" OR "Application for three" OR "Appfor HR" 
Jakarta, "Application for one"
Lausanne, "Application for two" OR "LBPF*" "Application for three"
Monako, "Application for *"

OR

 locationOrFunction, asset_id
    London, asset_id="Application for one" OR asset_id="Application for two" OR asset_id= "Application for three" OR asset_id="Appfor HR" 
    Jakarta, asset_id="Application for one"
    Lausanne, asset_id="Application for two" OR asset_id="LBPF*" asset_id="Application for three"
    Monako, "asset_id=Application for *"

I want to use it in multiselect input.
I tried with format, but it gets all rows (combine all locations), what I want to get is search queries for all independently.
Probably regex will be the answer, but I can't figure it out by myself. Any ideas?

Accak · ‎02-28-2017

I managed to do it:

 | inputlookup Asset_id_sorted_by_category.csv | eval asset_id = split(asset_id, ";")| rex field=asset_id mode=sed "s/$/\"/" | rex field=asset_id mode=sed  "s/^/ OR asset_id=\"/" | nomv asset_id | rex field=asset_id mode=sed  "s/OR//" |table asset_id, locationOrFunction

View solution in original post

Accak · ‎02-28-2017

I managed to do it:

 | inputlookup Asset_id_sorted_by_category.csv | eval asset_id = split(asset_id, ";")| rex field=asset_id mode=sed "s/$/\"/" | rex field=asset_id mode=sed  "s/^/ OR asset_id=\"/" | nomv asset_id | rex field=asset_id mode=sed  "s/OR//" |table asset_id, locationOrFunction

Lookup table to many search queries

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life