https://community.splunk.com/t5/Getting-Data-In/pull-search-terms-from-a-single-column-csv-file-for-scheduled/m-p/478411#M82134 <P>I have several search queries that i then save as reports (and schedule them), they ultimately are displayed on a dashboard (some are displayed on wall monitors).</P> <P>Once seeing these dashboards Quite often, i have to come back and modify the query to remove some data.</P> <P><STRONG>So i was hoping i could add these terms into a single column CSV file (with 1 single header), and just add new terms, and re-upload the CSV file when i need to update the query. (but i cant figure out how to do this)</STRONG> Example:</P> <P>original query:</P> <PRE><CODE>index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=Bob asn!=frank asn!=joe </CODE></PRE> <P>What im hoping for/asking:</P> <PRE><CODE>index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=LIST.csv </CODE></PRE> <P>Im hoping, as needed i can just reupload a new LIST.csv file that contains:<BR /> asn<BR /> frank<BR /> joe<BR /> Bob<BR /> new_term1<BR /> new_term2</P> <P>and since its the LIST.csv being referenced, all my scheduled reports using LIST.csv will be updated.</P> <P>I think what i want is to add/upload a lookup table file, create a CSV lookup definition (set permissions on both) and then cite/use that defined lookup table in my search query. But i havent been able to make much headway on this. These are the threads / docs ive been following or tried so far-</P> <P><A href="https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html" target="_blank">https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html</A></P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourevents" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourevents</A></P> <P><A href="https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html" target="_blank">https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html</A></P> <P>(any help is appreciated, or please do tell if this usecase is not something i should be hoping to do easily with splunk) thanks!</P> Wed, 30 Sep 2020 03:34:50 GMT spunk311z 2020-09-30T03:34:50Z https://community.splunk.com/t5/Getting-Data-In/pull-search-terms-from-a-single-column-csv-file-for-scheduled/m-p/478411#M82134 <P>I have several search queries that i then save as reports (and schedule them), they ultimately are displayed on a dashboard (some are displayed on wall monitors).</P> <P>Once seeing these dashboards Quite often, i have to come back and modify the query to remove some data.</P> <P><STRONG>So i was hoping i could add these terms into a single column CSV file (with 1 single header), and just add new terms, and re-upload the CSV file when i need to update the query. (but i cant figure out how to do this)</STRONG> Example:</P> <P>original query:</P> <PRE><CODE>index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=Bob asn!=frank asn!=joe </CODE></PRE> <P>What im hoping for/asking:</P> <PRE><CODE>index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=LIST.csv </CODE></PRE> <P>Im hoping, as needed i can just reupload a new LIST.csv file that contains:<BR /> asn<BR /> frank<BR /> joe<BR /> Bob<BR /> new_term1<BR /> new_term2</P> <P>and since its the LIST.csv being referenced, all my scheduled reports using LIST.csv will be updated.</P> <P>I think what i want is to add/upload a lookup table file, create a CSV lookup definition (set permissions on both) and then cite/use that defined lookup table in my search query. But i havent been able to make much headway on this. These are the threads / docs ive been following or tried so far-</P> <P><A href="https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html" target="_blank">https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html</A></P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourevents" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourevents</A></P> <P><A href="https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html" target="_blank">https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html</A></P> <P>(any help is appreciated, or please do tell if this usecase is not something i should be hoping to do easily with splunk) thanks!</P> Wed, 30 Sep 2020 03:34:50 GMT https://community.splunk.com/t5/Getting-Data-In/pull-search-terms-from-a-single-column-csv-file-for-scheduled/m-p/478411#M82134 spunk311z 2020-09-30T03:34:50Z https://community.splunk.com/t5/Getting-Data-In/pull-search-terms-from-a-single-column-csv-file-for-scheduled/m-p/478412#M82135 <P>Have you tried <CODE>index=fwonly ATkc NOT src_ip="10.0.0.0/8" NOT [ | inputlookup LIST.csv | fields asn | format ]</CODE>?</P> Wed, 01 Jan 2020 19:37:56 GMT https://community.splunk.com/t5/Getting-Data-In/pull-search-terms-from-a-single-column-csv-file-for-scheduled/m-p/478412#M82135 richgalloway 2020-01-01T19:37:56Z https://community.splunk.com/t5/Getting-Data-In/pull-search-terms-from-a-single-column-csv-file-for-scheduled/m-p/478413#M82136 <P>awesome! thanks so much, that did work! </P> <P>for any others in the future, all i had to do was upload the csv file, create a lookup definition, (after which you should then see the Supported fields column update w the header from your csv file, in my case just 1x header/column). then you can use richgalloway's [ | inputlookup LIST.csv | fields asn | format ] to pull queries from that csv file, which makes for easy updating in the future!)</P> Wed, 01 Jan 2020 23:19:42 GMT https://community.splunk.com/t5/Getting-Data-In/pull-search-terms-from-a-single-column-csv-file-for-scheduled/m-p/478413#M82136 spunk311z 2020-01-01T23:19:42Z