topic I have some data, if the message contains a word which is in a csv file, then results should show in a table. How should I edit my search? in Getting Data In

I have some data, if the message contains a word which is in a csv file, then results should show in a table. How should I edit my search?

nagarjuna280 — Sat, 22 Apr 2017 02:53:43 GMT

I have some data, if the message contains a word which is in a csv file, then results should show in a table. How should I edit my search?

I have a csv file which contains keywords like:

kill
bomb
gun
drugs
Anthrax
Arms
Attack
Atomic
If the message contains more than one word like:

take your gun
kill him
And I search like this:

search | table message, id ,name
then results should look like this:

message id name

Re: I have some data, if the message contains a word which is in a csv file, then results should show in a table. How should I edit my search?

niketn — Sun, 23 Apr 2017 08:03:01 GMT

Following query creates a dummy lookup using makeresults (In case of lookup file you can use inputlookup command instead.)

| makeresults
| eval findPattern="kill,bomb,gun,drugs,Anthrax,Arms,Attack,Atomic"
| makemv delim="," findPattern 
| mvexpand findPattern limit=10

Splunk's map command would be able to iterate though the keywords in the previous query

| map search="| makeresults | eval testData=\"Chuck Norris doesn't need gun to kill\"| eval matched=if(match(testData,\"$findPattern$\"),1,0)"
| search matched="1"
| stats sum(matched) as matched by testData
| table testData, matched

Combine the above two search which is a run anywhere example.

Re: I have some data, if the message contains a word which is in a csv file, then results should show in a table. How should I edit my search?

viji261992 — Fri, 05 Oct 2018 07:01:10 GMT

I have a .csv file whose name is bad.csv in which the column name is eventuei I want that column to be displayed in my report.
Please let me know how to pull the .csv file inside the query and display the "eventuei" column in the report.