Splunk Search

Inputlookup and match only whole word in field text

John__Doe
Engager

I want to use a keyword list (inputlookup) to find a keyword (whole word only !) in the event text.

Sample Event text (field name is 'data'):

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam pretium urna vel auctor tempus. Integer velit libero, faucibus id ex. 

I've imported a csv file containing keywords.

Keyword
adipiscing
faucibus

The inputlookup works fine:

| imputlookup keywords.csv

Searching for just a keyword works fine:

index=lorum adipiscing

Using inputlookup with the csv file doesn't work (no matches):

index=lorum [| imputlookup keywords.csv]

Any help writing my query is highly appreciated.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi John__Doe,
you have to modify your subsearch:

your_search [ | inputlookup your_lookup.csv | rename keyword as query | fields query ]

In this way you can use lookup's keywords for a full text search.
Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi John__Doe,
you have to modify your subsearch:

your_search [ | inputlookup your_lookup.csv | rename keyword as query | fields query ]

In this way you can use lookup's keywords for a full text search.
Bye.
Giuseppe

John__Doe
Engager

Hi Cusello,

I've tried this:

index=lorum data=*  [ | inputlookup keywords.csv | rename keyword as query | fields query ]

But still no luck

0 Karma

John__Doe
Engager

The name of the field in 'keywords.csv' is keyword (lower k).

keyword
adipiscing
faucibus
0 Karma

gcusello
SplunkTrust
SplunkTrust

Using this method you can use lookup keywords to run a full text search on all the raw event, data field is in the raw data or not?
if data isn't in _raw field and instead it's only in a differente field and you want to search keywords in this field you must use a different approach
index=lorum data=* [ | inputlookup keywords.csv | eval data=""+keyword+"" | fields data ]
Bye.
Giuseppe

0 Karma

John__Doe
Engager

First example works (needed to change the time span). Apologize for the inconvenience caused

I've an error with the second example:

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side: ((data= "adipiscing") OR (data= "faucibus"))
0 Karma

gcusello
SplunkTrust
SplunkTrust

Sorry: there's an error, I forgot the first asterisk!

index=lorum data= [ | inputlookup keywords.csv | eval data="*"+keyword+"*" | fields data ]

The second solution should be more performant.

Bye.
Giuseppe

0 Karma

John__Doe
Engager

still an error 🙂
Needs to be:

index=lorum data=* [ | inputlookup keywords.csv | eval data="*"+keyword+"*" | fields data ]

This doesn't find only the whole word because of using the asterisk wildcard ( * ). But still a useful example for me.

0 Karma

gcusello
SplunkTrust
SplunkTrust

The best way is to use the first solution.
Bye.
Giuseppe
P.S.: if you're satisfied, please accept answer.

0 Karma

John__Doe
Engager

many thanks and accepted

0 Karma

gcusello
SplunkTrust
SplunkTrust

what's the name of the field in lookup? you must use it in rename command.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...