stackoom
  简体   繁体   中英

Splunk - How to get results only if search field contains a word in the lookup table

 原文  2019-09-13 18:28:08       splunk/ splunk-query

Question

If I have a search result which has a field named "Field1" and It has values like :

This is Word1 now.

This is Word2 now.

This is WordX now.

This is WordZ now.

Below is the lookup table for Words.

Field1

Word1

Word2

Word3

Word4

Word5

Word6

How can I search so I get ONLY below results in the output because they contain "Word1" and "Word2" which are in the lookup table?

This is Word1 now.

This is Word2 now.

1 answers

solution1
 0  2019-09-15 13:11:18

One way is to read the lookup file in a subsearch. 

index=foo [ | inputlookup words.csv | format ]

The format command puts the contents of the lookup file into field=value format so the final query becomes index=foo ((field1=Word1) OR (field1=Word2)) .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Search in Splunk in a lookup table with multivalue fields In splunk, how to create Private Lookup table for individual? How to get particular field in splunk search for a nested JSON event Splunk search - How to loop on multi values field Splunk - No results, but search is correct How to count results in Splunk and put them in a table? How to use/do where in column of a lookup in Splunk Search Query in splunk search How to get all instances that has a field without any value Get distinct results (filtered results) of Splunk Query based on a results field/string value Splunk: How to extract field directly in Search command using regular expressions?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM