topic Re: CSV Lookup for search query in Splunk Search

CSV Lookup for search query

Abdulm1 — Wed, 12 Feb 2020 09:04:24 GMT

I have a search query like this

index=ppt sm.to{}="12-12-518@dt.com" OR sm.to{}="050920@cp.com" |table sm.to{} sm.stat

and I want to use a csv lookup instead because I have more email address to use and I want the result to show this two fields .

My csv contains this
sm.to{}
050920@cp.com
12-12-518@dt.com
774211@PP.com
859@dat.com
20909@PP.com
07548@pp.com

Can anyone help with a lookup search query for me . thanks.

Re: CSV Lookup for search query

manjunathmeti — Wed, 12 Feb 2020 09:31:16 GMT

Try this:

index=ppt | lookup .csv sm.to{} OUTPUT sm.to{} as sm_to | search sm_to = *

Re: CSV Lookup for search query

Abdulm1 — Wed, 30 Sep 2020 04:10:49 GMT

am actaully using inputlookup so i used the below command but it did not work

index=proofpoint sourcetype=pps_maillog | inputlookup smto OUTPUT sm.to{} as sm_to | search sm_to = *

I tried the following as well but did not work
index=ppt
| eval Recipients='sm.to{}'
| table Recipients
| search Recipients = "*"
| join type=inner Recipients
[| inputlookup smto
| table sm.to{} sm.stat]

Re: CSV Lookup for search query

manjunathmeti — Wed, 12 Feb 2020 13:55:25 GMT

May be it's due to field name, rename sm.to{} to smto in csv file and search query and try.

Re: CSV Lookup for search query

Abdulm1 — Wed, 30 Sep 2020 04:11:09 GMT

Thanks @manjunathmeti it worked perfectly.

index=ppt | lookup .csv sm.to{} OUTPUT sm.to{} as sm_to | search sm_to = * | table sm_to sm.stat