topic Re: Using CSV file as input to search in Getting Data In

Using CSV file as input to search

insomniacnerd94 — Wed, 30 Sep 2020 00:27:13 GMT

I am trying to use a list from a CSV file to query results for that list, but I only get a result from the first row.

The data looks like such;
workstation_1
workstation_2
workstation_3

The query looks like such;
index="wineventlog" Source_Workstation=* [inputlookup test.csv | fields "Workstation Name" | rename "Workstation Name" as search] | table Source_Workstation, _time, Logon_Account | dedup Source_Workstation

Re: Using CSV file as input to search

koshyk — Wed, 08 May 2019 21:37:12 GMT

Few mistakes in your search

You need to put a | character before inputlookup

index="wineventlog" Source_Workstation=* [|inputlookup test.csv | fields "Workstation Name" ...

What is the name of the field in WinEventLog where you want WorkStation Name to be compared with? I don't think "Source_Workstation" is the field name. Assuming hostname is the field you want to compare the search would look like..

example

index="wineventlog" [|inputlookup test.csv | fields "Workstation Name" | rename "Workstation Name" as Source_Workstation] | stats count by Source_Workstation, _time, Logon_Account

Re: Using CSV file as input to search

insomniacnerd94 — Wed, 30 Sep 2020 00:27:38 GMT

Thanks for the help, but I actually figured it out. I had the following query;

Re: Using CSV file as input to search

koshyk — Thu, 09 May 2019 14:01:34 GMT

great. So the above search which I provided above, should also return similar results and would be faster as it directly uses stats count

Please upvote/accept, if it helped you

Re: Using CSV file as input to search

woodcock — Sun, 12 May 2019 04:59:38 GMT

Be sure to click Accept on this answer or post your own and accept that one. Do one or the other to close this question.