Field Name/Value Pairs - Searching with a Lookup T...

SplunkMonster · ‎08-13-2013

I'm looking to read in a set of field name/value pairs from a given lookup table (using inputlookup) and then use that as a set of parameters in a search. Specifically, I'm looking to search for "field_name = X" value in a given index and then use that list of field/value pairs as an exclusion list to what I'm searching for. I could also have multiple sets of field/value pairs. So, in other words, in plain english:

Search for FieldName = X in ABC Index
But not if (A=blah AND B=doh AND C=meh) OR (B=meh AND C=blah)
(etc.)

and the A/blah, B/doh, C/meh etc. values would all be field/value pairs in the lookup table that are read in via inputlookup.

So far I've successfully used inputlookup w/csv tables for filtering out/including single values where I pre-define the field name in the search, but I haven't found a good way of doing more complicated logic where the field name is actually being read from a table and you can have multiple groupings. I'd appreciate any feedback/help anyone has to offer. Thanks!

gkanapathy · ‎08-13-2013

You might look at subsearches and use of the "format" search command, sending extra non-default arguments to "format". It may be able to do what you want.

Ayn · ‎08-13-2013

Where do you get stuck with using inputlookup? Let's say you have the following lookup:

A,B,C
blah,doh,meh
,meh,blah

This will translate into the filter string you've specified (you can see this for yourself by running "|inputlookup yourlookup | format"):

( ( A="blah" AND B="doh" AND C="meh" ) OR ( B="meh" AND C="blah" ) )

To negate this, just put a NOT before the subsearch. So in conclusion, you'll want something like:

index=ABC FieldName=X NOT [|inputlookup yourlookup]

Field Name/Value Pairs - Searching with a Lookup Table

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!