11/25/2023 0 Comments Splunk inputlookup![]() ![]() I created iptable.csv with the following sample content to be used for input. Next, create a CSV file in your SPLUNK_HOME/etc/app//lookups/ directory. For our example I’ll use an ip address field. ![]() For now, I will assume you have basic knowledge about its usage and I will list a possible solution for trying to use OR with many possible values for a field.įirst, use field extraction to extract the field in question. ![]() For an introduction to this command, please consult Bob Fox’s blog entry discussing example usage. With Splunk 4.0, one way this is possible out of the box is with the new lookup command. A solution is to have an external file that contains all the possible values that you would like to use in the disjunctive search be used within the search language as input to the search criteria. This works fine for a finite case where you only have a handful of planets, but what happens if the field’s possible search criteria changes daily and may contain hundreds of possible values that you would like to input for the search? Certainly, using OR terms with over a hundred entries sounds impractical. Sourcetype=my_sourcetype (planet=mars OR planet=earth OR planet=saturn) It’s essentially using an OR (disjunctive search) in the search language. I’ve been asked a few times on how best to search for events which may contain many different discrete values for a field. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |