All Apps and Add-ons

search help against lookup values

mcbradford
Contributor

eventtype=bluecoat [| inputlookup wfap_lookup | where wfap_priority=2 | fields wfap_indicator | rename wfap_indicator as search| format "" "(" "OR" ")" "OR" ""] user="test"

The lookup will contain values such as:

string priority

car 0
"red car" 2
"blue car" 1
red 3

The problem I am having is with the multi-string values. For example, if I am looking for "red car", the search above will find within an event red and car, but not always as the string "red car". The event might have someting like, "Red is a nice color. A fast car is fun to drive".

alacercogitatus
SplunkTrust
SplunkTrust

I would agree with Ayn, but when I ran it, the search didn't have the quotes around "red car". I added this: | eval search = "\"" .search."\"" | before the format and it returned with the quoted "red car", which will search for "red car" and not "red AND car".

0 Karma

Ayn
Legend

You can check exactly what the subsearch will return by just running it on its own, including the format at the end. I just tried recreating your scenario and get the search string ( "red car" ) OR ( "blue car" ). If you're getting the same string, I don't see why Splunk would behave like you describe. It should match the whole string, not inidividual words.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...