About MVK1

MVK1

Thank you for your time and response. I now don't see double quotes in the search query. This is helpful. startswith="my start msg" endswith="my end msg" --> works startswith IN ("my start msg1", "my start msg2", "my start msg3") endswith="my end msg" ---> This is honoring only endswith flag and not returning events starting with my start msg lines "my start msg1" or "my start msg2" or "my start msg3" I notice that splunk search returns events before these matching startswith fields I will open a different question for that.

MVK1

Assuming my messages.csv has a single row with Messages field "My input search message" I dont see any double quotes added until these 3 lines | inputlookup messages.csv | fields Messages | rename Messages as search I see My input search message After adding 4th line | inputlookup messages.csv | fields Messages | rename Messages as search | format "(" "\"" "" "\"" "," ")" I see the following ( " "My input search message" " ) After adding 5th line | inputlookup messages.csv | fields Messages | rename Messages as search | format "(" "\"" "" "\"" "," ")" | rex field=search mode=sed "s/ *\" */\"/g" I see the following result with two doublequotes (""My input search message"")

MVK1

My guess of incorrect search results could be because of having spaces in my Message field in CSV my input lookup CSV Message filed has a string "My input search message" I need to match all lines that start with entire line between "My input search message" and a given endswith Currently I guess it is individually looking for events "My" "input" "search" "message" separately Can you please help how to match entire message in startswitb ?

MVK1

Thanks for the response @yuanliu May I know what this block is doing? | format "(" "\"" "" "\"" "," ")" | rex field=search mode=sed "s/ *\" */\"/g" I don't see lines starting with startswith but see correct lines ending with endswith when I run this command separately |inputlookup messages.csv | fields Messages | rename Messages as search | format "(" "\"" "" "\"" "," ")" | rex field=search mode=sed "s/ *\" */\"/g" I see a column with name search and value (""field1"") Do we need to have field1 inside parentheses and two double quotes?

MVK1

Hello I have the following sample log lines from a splunk search query line1 line2 line3: field1 : some msg line4 line5 status: PASS line6 line7 line3: field2: some msg line8 line9: status: PASS line1 line2 line3: field3: some msg line4 line5: status: PASS line1 line2 line3: field4: some msg line4 line5: status: PASS I want to write a transaction to return lines between field1, status: PASS field2, status: PASS field3: status:PASS and so-on I have tried the following search query with multiple startswith values index="test1" source="test2" run="test3" | transaction source run startswith IN ("field1", "field2", "field3") endswith="status: PASS" Instead of using IN keyword for startswith, I want to use a csv lookup table messages.csv Sample messages.csv content id,Message 1,field1 2,field2 3,field3 4,field4 I want to write splunk transaction command with startswith parameter containing each Message field from messages.csv My inputlookup CSV file may have 100 different rows with different messages There is also a chance that my splunk search results may not have any entries with lines containing field1, field2, field3, field4 Can someone please help on how to write splunk transaction where startswith needs to be run for each Message in messages.csv?

MVK1 · ‎03-29-2024

@yuanliu Thanks again for your detailed explanation. Apologies, I should have asked id_num as a follow-up question and not related to this main question. Instead of using filldown to populate id_num, I extracted id_num and included as part of fields for every payload upload to Splunk. I have updated to the following query and it worked index="demo1" source="demo2" [inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format ] | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name="test_field_name_1" | table _raw id_num Thanks again for your detailed analysis and guidance in helping solve this.

MVK1 · ‎03-29-2024

@yuanliu apologies my bad - moving inputlookup at the end is returning all results (NOT just search results) index="demo1" source="demo2" | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name="test_field_name_1" | table _raw id_num | reverse | filldown id_num [inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format] Could you please help ?

MVK1 · ‎03-29-2024

@yuanliu Thank you for your response again. Apologies for my wording if it created any confusion. I will be more careful going forward. You're right, I meant my search did not return any results in my context. This query returned my matching search results events . I noticed that id_num field in the search results was blank as I was using filldown to populate id_num fields index="demo1" source="demo2" [inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format] | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name="test_field_name_1" | table _raw id_num | reverse | filldown id_num I moved lookup at the end after filldown and I see id_num field as well in search results table index="demo1" source="demo2" | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name="test_field_name_1" | table _raw id_num | reverse | filldown id_num [inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format]

MVK1 · ‎03-29-2024

@yuanliu Thank you for your reply . The following block works for me when run independently . index="demo1" source="demo2" | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name="test_field_name_1" | table _raw id_num | reverse | filldown id_num and this query works | inputlookup sample.csv | fields FailureMsg but this block does not work for me index="demo1" source="demo2" [inputlookup sample.csv | fields FailureMsg] Tried this block as well, it did not work for me index="demo1" source="demo2" [ | inputlookup sample.csv | fields FailureMsg ] Since above query did not work, entire block you suggested did not work as well index="demo1" source="demo2" [inputlookup sample.csv | fields FailureMsg] | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name=test_field_name_1 | table _raw id_num | reverse | filldown id_num This query works for me when I search for fail_msg1 or fail_msg2 index="demo1" source="demo2" ("fail_msg1" OR "fail_msg2") any idea how to search this using inputlookup or lookup?

MVK1 · ‎03-27-2024

Thank you I have added double quotes in my lookup for FailureMsg field. Could you please help on how we can write lookup query to search for FailureMsg in _raw ?

MVK1 · ‎03-27-2024

Another update: my csv lookup in this example has only 2 rows, but it could have many more. Also I am not planning to use other fields Product, Feature but just need FailureMsg

MVK1 · ‎03-27-2024

Hi @meetmshah I have added sample _raw events from original query [test_field_name=test_field_name_1]: Hello This is event0 no_failure_msg some other message0 id_num { data: 000 }} [test_field_name=test_field_name_1]: Hello This is event1 fail_msg1 some other message1 id_num { data: 111 }} [test_field_name=test_field_name_1]: Hello This is event2 fail_msg2 some other message2 id_num { data: 999 }} [test_field_name=test_field_name_1]: Hello This is event3 no_failure_msg some other message3 id_num { data: 222 }} From these events I want to return these 2 events where fail_msg1 or fail_msg2 are present [test_field_name=test_field_name_1]: Hello This is event1 fail_msg1 some other message1 id_num { data: 111 }} [test_field_name=test_field_name_1]: Hello This is event2 fail_msg2 some other message2 id_num { data: 999 }}

MVK1 · ‎03-27-2024

Hello, I have a splunk query returning my search results index="demo1" source="demo2" | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name=test_field_name_1 | table _raw id_num | reverse | filldown id_num From above table _raw may have *fail_msg1* or *fail_msg2* I have created a lookup file sample.csv with the following content Product,Feature,FailureMsg ABC,DEF,fail_msg1 ABC,DEF,fail_msg2 I want to search if FailureMsg field (fail_msg1 OR fail_msg2) is found in _raw of my splunk query search results and return only those matching lines. If they (fail_msg1 OR fail_msg2) are not found, return nothing Could you please share how to write lookup or inputlookup for fetching these results? If those

Posts	13
Solutions	1
Karma Given	2
Karma Received	0
Member Since	‎03-27-2024

Online Status	Offline
Date Last Visited	a week ago

transaction startswith from a lookup file

splunk search lookup help

Re: transaction startswith from a lookup file

Re: transaction startswith from a lookup file

Re: transaction startswith from a lookup file

Re: transaction startswith from a lookup file

transaction startswith from a lookup file

Re: splunk search lookup help

Re: splunk search lookup help

Re: splunk search lookup help

Re: splunk search lookup help

Re: splunk search lookup help

Re: splunk search lookup help

Re: splunk search lookup help

splunk search lookup help