Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do an open text search using a lookup table?

DEAD_BEEF
Builder
‎07-27-2018 10:32 AM

I have an inventory csv file and want to do an open text search for all the hostnames in my lookup table. The reason I say "open text search" is because the hostname field is named differently across various indexes so I can't point my LUT column to a specific log field.

I am basically trying to avoid the below query as I don't want to type out (copy+paste) all the hostnames

index=web OR index=main OR index=os (host1 OR host2 OR ... host n)

My current query is:

index=*
    [| inputlookup hosts.csv 
    | fields name
    ]
| stats count by index sourcetype
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-27-2018 10:45 AM

To return strings instead of KV pairs from a subsearch, use the format command (after renaming the field to literally search)

 index=*
 [| inputlookup hosts.csv 
 | fields name
 | rename name as search
 | format
 ]
 | stats count by index sourcetype

For event faster performance, (but if and only if your hostnames contain no segments (dashes etc)) use |tstats instead

 |tstats count WHERE index=*
     [| inputlookup hosts.csv 
     | fields name
     | rename name as search
     | format
     ]
 by index sourcetype

View solution in original post

Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-27-2018 10:45 AM

To return strings instead of KV pairs from a subsearch, use the format command (after renaming the field to literally search)

 index=*
 [| inputlookup hosts.csv 
 | fields name
 | rename name as search
 | format
 ]
 | stats count by index sourcetype

For event faster performance, (but if and only if your hostnames contain no segments (dashes etc)) use |tstats instead

 |tstats count WHERE index=*
     [| inputlookup hosts.csv 
     | fields name
     | rename name as search
     | format
     ]
 by index sourcetype
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎07-27-2018 10:57 AM

The first query works perfectly! The tstats doesn't seem to work as I get the error, Error in 'TsidxStats': WHERE clause is not an exact query. The hostnames have "." in some of them, not sure if that is the problem.

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎07-27-2018 11:13 AM

Yep any special characters will cause the stats search to fail. For a deeper explanation into why that is so, have a read through this: https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf.

If the answer worked for you would you mind accepting it?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...