All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search help against lookup values

mcbradford
Contributor
‎09-18-2012 08:55 AM

eventtype=bluecoat [| inputlookup wfap_lookup | where wfap_priority=2 | fields wfap_indicator | rename wfap_indicator as search| format "" "(" "OR" ")" "OR" ""] user="test"

The lookup will contain values such as:

string priority

car 0
"red car" 2
"blue car" 1
red 3

The problem I am having is with the multi-string values. For example, if I am looking for "red car", the search above will find within an event red and car, but not always as the string "red car". The event might have someting like, "Red is a nice color. A fast car is fun to drive".

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎09-18-2012 11:25 AM

I would agree with Ayn, but when I ran it, the search didn't have the quotes around "red car". I added this: | eval search = "\"" .search."\"" | before the format and it returned with the quoted "red car", which will search for "red car" and not "red AND car".

0 Karma
Reply

Ayn
Legend
‎09-18-2012 09:03 AM

You can check exactly what the subsearch will return by just running it on its own, including the format at the end. I just tried recreating your scenario and get the search string ( "red car" ) OR ( "blue car" ). If you're getting the same string, I don't see why Splunk would behave like you describe. It should match the whole string, not inidividual words.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...