Getting Data In

Field Name/Value Pairs - Searching with a Lookup Table

SplunkMonster
Engager

I'm looking to read in a set of field name/value pairs from a given lookup table (using inputlookup) and then use that as a set of parameters in a search. Specifically, I'm looking to search for "field_name = X" value in a given index and then use that list of field/value pairs as an exclusion list to what I'm searching for. I could also have multiple sets of field/value pairs. So, in other words, in plain english:

Search for FieldName = X in ABC Index
But not if (A=blah AND B=doh AND C=meh) OR (B=meh AND C=blah)
(etc.)

and the A/blah, B/doh, C/meh etc. values would all be field/value pairs in the lookup table that are read in via inputlookup.

So far I've successfully used inputlookup w/csv tables for filtering out/including single values where I pre-define the field name in the search, but I haven't found a good way of doing more complicated logic where the field name is actually being read from a table and you can have multiple groupings. I'd appreciate any feedback/help anyone has to offer. Thanks!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You might look at subsearches and use of the "format" search command, sending extra non-default arguments to "format". It may be able to do what you want.

0 Karma

Ayn
Legend

Where do you get stuck with using inputlookup? Let's say you have the following lookup:

A,B,C
blah,doh,meh
,meh,blah

This will translate into the filter string you've specified (you can see this for yourself by running "|inputlookup yourlookup | format"):

( ( A="blah" AND B="doh" AND C="meh" ) OR ( B="meh" AND C="blah" ) )

To negate this, just put a NOT before the subsearch. So in conclusion, you'll want something like:

index=ABC FieldName=X NOT [|inputlookup yourlookup]
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...