Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search unstructured log for all values in your lookup file?

luc_k
Engager
‎09-19-2017 07:36 AM

Hi,

I'd like to search our log for multiple possible errors from our lookup file:

alt text

to return only the records containing in any field one of the strings in the Error column and show the corresponding value from the Source column.

Is there a way ,such as | inputlookup errors.csv | foreach... | search ...?

Many thanks in advance,

Luc

Preview file
1 KB
0 Karma
Reply

luc_k
Engager
‎09-19-2017 10:18 AM

Thank you for your prompt reply. This returns the search results. How do I return the Source column?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2017 07:58 AM

Hi luc_k,
it's possible to search for the full string yu have in the Ettor field.
In other words: you can search for "Some Errors occurred" but not for Some Errors occurred
try something like this

your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ]
| ...

In this way you search in full text search in all events.

Bye.
Giuseppe

0 Karma
Reply

luc_k
Engager
‎09-20-2017 12:08 AM

To return the Source column - something like your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ] | lookup your_lookup.csv ...?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-20-2017 03:45 AM

Hi luc_k,
it isn't so easy this last question because when you use query field in search you lose the pair field=value and you have to rebuid it,
you should try something like this:

 your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ]
 | rename _raw as rawText
 | eval foo=[
     | inputlookup your_lookup.csv 
     | eval query="%"+Error+"%" 
     | stats values(query) AS query 
     | eval query=mvjoin(query,",") 
     | fields query 
     | format "" "" "" "" "" ""
     ]
| eval foo=split(foo,",") 
| mvexpand foo 
| where like(rawText,foo)
| rex field=foo "\%(?<Error>[^\%]*)\%"
| ...

Bye.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-20-2017 04:10 AM

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...