How to create a search that check each value from ...

Suagni · ‎01-18-2024

Hey Guys,

I am trying to write a SPL in splunk where I have a lookup file with 10 values and I want to search each value against a search and return results if found

Eg: LookupFile : Column name is States and the values are as below:

Alaska
Arizona
Arkansas
California
Colorado

Now I want to search each of the states one after the other in a search and display the results with the column (States, IP, Country, user, workstation) .

Pls help.

Thank you

gcusello · ‎01-18-2024

Hi @Suagni,

you have to use a subsearch, putting attention to the field names that must be the same in main and sub search, in other words that the States field is present in both the searches and it's written exactly in the same way (it's case sensitive),

something like this:

index=your_index [ | inputlookup your_lookup.csv | fields States ]
| table States IP Country user workstation

This is possible if all the fieds to display are in the main search and you have to check only if States values are also in the lookup.

If instead some fields arrive from the lookup, you have to add an additional command: so if e.g. Country field arrives only from the lookup, you have to write:

index=your_index [ | inputlookup your_lookup.csv | fields States ]
| lookup your_lookup.csv States OUTPUT Country
| table States IP Country user workstation

Ciao.

Giuseppe

How to create a search that check each value from inputlookup table in a seach and return the results

subsearch

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?