topic Re: Splunk search using CSV file data as input in Getting Data In

Splunk search using CSV file data as input

psalibindla9524 — Mon, 15 Aug 2016 05:37:11 GMT

I would like to search

index=main type=router OR type=switch OR type=firewall OR type=sysproxy ..

Instead i wanna do as below
test.csv
devicetype
router
switch
firewall
sysproxy
webproxy

index=main |search [|inputlookup test.csv |feilds devicetype]

It does not return the output. Can you please help how to get the results.

Re: Splunk search using CSV file data as input

sundareshr — Mon, 15 Aug 2016 12:18:04 GMT

In you first search example, the field name appears to be type whereas in the .csv field, field name is devicetype For your subsearch to work, the two needs to be the same. So you could either rename the field in the .csv by editing it, or you could try your search like this

index=main |search [|inputlookup test.csv |rename devicetype AS type | fields type]

Re: Splunk search using CSV file data as input

echalex — Mon, 15 Aug 2016 12:43:13 GMT

Since sundareshr was first to answer (in a comment), I'm demoting my answer to a comment. The solution is indeed correct, but you can shorten it a bit:

index=main [|inputlookup test.csv |rename devicetype AS type | fields type]

(oh, and I had a typo in my answer... Fixed now.)

Re: Splunk search using CSV file data as input

tjrhodeback — Wed, 14 Jun 2017 14:39:42 GMT

There is also a typo "|feilds devicetype]"