I am new to Splunk.
The `cluster` command gives me results that I am looking for and some. I would like to filter the results of this command with a list of regular expression patterns that I have stored in a KV store, but I am having a tough time getting the answers that I am looking for. When I run the `map` command below it looks like the `$payload$` ends up with the value rather than the field name.
The `app_critical_warning` KV store has a list of regexp patterns with one of the column names being `regexp_pattern`.
Here's the search that I have come up with:
index="someindex" msgtype::warning |
cluster t=0.9 showcount=true field=payload |
table cluster_count payload |
map [|inputlookup app_critical_warning |
regex $payload$=regexp_pattern ] maxsearches=10
Does anybody have any suggestions on how to go about this task? I can compose the search with all the `regexp` patterns, but I would like to maintain it in a KV store for logistic reasons.
Thank you!
↧