Splunk Search

How to use subsearch without a field name? (but just with field value)

koshyk
Super Champion

We have got data for particular data which contains field in many places
Events

2018-09-05 01:00:00 logged in by USER1 
2018-09-05 01:00:01 logged in as USER2 by USER1 
2018-09-05 01:00:02 logged in as USER3 by USER4  and as USER2 by USER1 
2018-09-05 01:00:04 logged in as USER5 by USER6

Reference lookup (usernames.csv)

user,name
USER1,bob
USER4,chuck

The event is not parsed and we Just need to ensure if USER1 or USER4 (user) from reference lookup) is present in the events. But there is NO field mapped in the raw events

Hence if I do below search, no data shows up

index=*  [|inputlookup usernames.csv | fields user] 

I believe the above search expands as index=* (user=USER1 OR user=USER4)
I was looking for the search to expand like..

index=* (USER1 OR USER4)

So How to remove the "user" field from the lookup, so it searches just for the "user" value without the field=value concept?

1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi koshyk,
if I correctly understand, you want to use the value of the field user as a free text search on your logs.
If this is your need, you could try something like this:

index=*  [ | inputlookup usernames.csv | rename user AS query | fields query ] 

Bye.
Giuseppe

View solution in original post

cafissimo
Communicator

Hello,
try this, it should work fine:

index=*  [|inputlookup usernames.csv | fields user | rename user AS query ] 

You could also take a look at this doc page:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults

Regards,
Luca.

gcusello
SplunkTrust
SplunkTrust

Hi koshyk,
if I correctly understand, you want to use the value of the field user as a free text search on your logs.
If this is your need, you could try something like this:

index=*  [ | inputlookup usernames.csv | rename user AS query | fields query ] 

Bye.
Giuseppe

koshyk
Super Champion

Thank you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...