topic How to search a list of words from csv file (lookup) in specific index events in Splunk Search

How to search a list of words from csv file (lookup) in specific index events

onkarkore1 — Sun, 11 Jun 2017 20:40:38 GMT

I have a lookup table which contains only one column with hundreds of entries, now I would like to search every word in splunk whether any event appear containing word from csv.

How can I achieve this?

any help will be appreciated.

Re: How to search a list of words from csv file (lookup) in specific index events

MuS — Sun, 11 Jun 2017 20:52:48 GMT

Hi onkarkore1,

you can try something like this:

 your base search here  [ | inputlookup yourLookupTableHere | return columnName ]

This will get all entries from the lookup and create a long search like this:

your base search here ( columnName=val1 OR columnName=val2 OR columnName=val3 .... )

Hope this helps to get you started ...

cheers, MuS

Re: How to search a list of words from csv file (lookup) in specific index events

onkarkore1 — Tue, 29 Sep 2020 14:25:35 GMT

II have a lookup table named transaction.csv contains one colunm, transaction_name. The goal is to have Splunk go through the lookup table and match text in the column named, transaction_name. and return a matching term

Lookup table is "transaction.csv" having one column named, transaction_name it have N numbers of entries (1000 entries) follows:

transaction_name
status
result
failed
success
report
idle
....
Any help would be great. I have tried the below:

index=index_name [| inputlookup transaction.csv | eval search=transaction_name | table search]

Above search query not returning matching terms in table format.

I would like to see output of matching terms(from csv file and events) in table format.

Re: How to search a list of words from csv file (lookup) in specific index events

inventsekar — Tue, 29 Sep 2020 14:26:08 GMT

Hi, Please check this one -

index=index_name [|inputlookup transaction.csv | return transaction_name]

Re: How to search a list of words from csv file (lookup) in specific index events

onkarkore1 — Mon, 12 Jun 2017 19:44:42 GMT

I would like to see either matching or non-matching transaction names returned by transaction_name column from transaction.csv file with respect to events in index.

But above search query is not returning any data, when I executed above query it returned no result found.

Re: How to search a list of words from csv file (lookup) in specific index events

MuS — Mon, 12 Jun 2017 19:48:37 GMT

Please provide some useful raw events and your expected result, otherwise there is no way for anyone to help you get the result you want 😉

Re: How to search a list of words from csv file (lookup) in specific index events

onkarkore1 — Tue, 29 Sep 2020 14:29:16 GMT

My index name is iot which is generating number of events as below,

index=iot

Below is the transaction value contained in transaction_name csv from transaction.csv lookup and events from iot index

trnsaction_name: WSVCUpdateMilestone
160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0

transaction_name: Workflow
160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0

transaction_name: DBServerId
160701 09:57:32.266 (D 5) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] DBServerId (FX wf_Engine.c 659) Account server: 3

transaction_name: CallData
160701 09:57:32.266 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] CallData (FX wf_Engine.c 701) CONTENT IN DEBUG FILE

Now, I have a lookup table named transaction.csv contains one colunm, transaction_name. The goal is to have Splunk go through the lookup table and match text in the column, transaction_name with the index iot. and return either matching or non-matching term

Lookup table is "transaction.csv" having one column named, transaction_name it have N numbers of entries (1000 entries) follows:

transaction_name
WSVCUpdateMilestone
Workflow
DBServerId
CallData
....
These are thousands of transaction name contained in lookup table, we want to check whether index is returning any events containing above transaction value.

Manually executing search query is difficult for thousands of entries like,

index="index_name" "transaction_name"

This is why we want to use lookup which will go through index events and return list of either matching or non_matching transaction values from table.

Any help would be great. I have tried the below:

index=iot [|inputlookup transaction.csv | return transaction_name]

But above search query is not returning any data, when I executed above query it returned no result found.