https://community.splunk.com/t5/Splunk-Search/CSV-Lookup-for-search-query/m-p/516621#M145208 <P>I prepared csv to inputlookup to compare the Splunk logs.</P><P>adhoc.csv</P><P>//</P><P>Account,</P><P>test01,etc....</P><P>test02,etc....</P><P>//</P><P>my Query</P><P>index=msad sourcetype=msad&nbsp;[| inputlookup adhoc.csv | fields Account]&nbsp;<BR />Searching Period: Last 24 hours</P><P>Cross check adhoc.csv match the searching logs.</P><P>For those account did not perform any authentation which logs stored at index=msad, during search period, then show zero values.</P><P>&nbsp;</P> Fri, 28 Aug 2020 02:45:02 GMT keyu921 2020-08-28T02:45:02Z https://community.splunk.com/t5/Splunk-Search/CSV-Lookup-for-search-query/m-p/516621#M145208 <P>I prepared csv to inputlookup to compare the Splunk logs.</P><P>adhoc.csv</P><P>//</P><P>Account,</P><P>test01,etc....</P><P>test02,etc....</P><P>//</P><P>my Query</P><P>index=msad sourcetype=msad&nbsp;[| inputlookup adhoc.csv | fields Account]&nbsp;<BR />Searching Period: Last 24 hours</P><P>Cross check adhoc.csv match the searching logs.</P><P>For those account did not perform any authentation which logs stored at index=msad, during search period, then show zero values.</P><P>&nbsp;</P> Fri, 28 Aug 2020 02:45:02 GMT https://community.splunk.com/t5/Splunk-Search/CSV-Lookup-for-search-query/m-p/516621#M145208 keyu921 2020-08-28T02:45:02Z https://community.splunk.com/t5/Splunk-Search/CSV-Lookup-for-search-query/m-p/516625#M145209 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/67502">@keyu921</a>&nbsp;</P><P>It's not overly clear what you are asking for so I not going to try, however if you want to have an OR statement generated for you base search, from the adhoc.csv file, then you need to use the <STRONG>format</STRONG> command, as shown</P><P>&nbsp;</P><LI-CODE lang="markup">... your search ... [| inputlookup adhoc.csv | fields Account | format] | ...</LI-CODE><P>&nbsp;</P><P>Substituted result of the subsearch would be</P><P>&nbsp;</P><LI-CODE lang="markup"> ... your search ... ( ( Account="test1" ) OR ( Account="test2" ) ) | ...</LI-CODE><P>&nbsp;</P><P>&nbsp;<BR />Having said that, more often than not, the use of the <STRONG>lookup</STRONG> command is far more efficient ...</P><P>&nbsp;</P><LI-CODE lang="markup">... your search ... | lookup adhoc.csv Account AS Account OUTPUTNEW &lt;...some new field in adhoc.csv...&gt; | where isnotnull(&lt;some new field&gt;) </LI-CODE><P>&nbsp;</P><P>Check the Splunk docs for more details, if interested.<BR /><BR />Hope this helps</P> Fri, 28 Aug 2020 03:32:35 GMT https://community.splunk.com/t5/Splunk-Search/CSV-Lookup-for-search-query/m-p/516625#M145209 yeahnah 2020-08-28T03:32:35Z https://community.splunk.com/t5/Splunk-Search/CSV-Lookup-for-search-query/m-p/516627#M145211 <P>This will show you all the Account names from the CSV that did NOT have any entries in the msad log in the time period given. It first searches and counts all the data for the monitored accounts, then adds back all the accounts being monitored and just then looks for ones with no count value.</P><LI-CODE lang="markup">index=msad sourcetype=msad [| inputlookup adhoc.csv | fields Account] | stats count by Account | append [ | inputlookup adhoc.csv | fields Account ] | stats values(count) as count by Account | where isnull(count)</LI-CODE><P>Hope this helps</P><P>&nbsp;&nbsp;</P> Fri, 28 Aug 2020 03:51:50 GMT https://community.splunk.com/t5/Splunk-Search/CSV-Lookup-for-search-query/m-p/516627#M145211 bowesmana 2020-08-28T03:51:50Z https://community.splunk.com/t5/Splunk-Search/CSV-Lookup-for-search-query/m-p/516643#M145218 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/67502">@keyu921</a>,</P><P>please try this:</P><LI-CODE lang="markup">index=msad sourcetype=msad | eval Account=lower(Account) | stats count BY Account | append [| inputlookup adhoc.csv | eval Account=lower(Account), count=0 | fields Account count] | stats sum(count) AS total BY Account | where total=0</LI-CODE><P>In this way,</P><UL><LI>total&gt;o means that there are logs,</LI><LI>total=0 means that there aren't logs.</LI></UL><P>As you requested, I added at the end a filter to display only the ones without logs, but you could also create a dashboard displaying all the Accounts with their status.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 28 Aug 2020 06:55:31 GMT https://community.splunk.com/t5/Splunk-Search/CSV-Lookup-for-search-query/m-p/516643#M145218 gcusello 2020-08-28T06:55:31Z https://community.splunk.com/t5/Splunk-Search/CSV-Lookup-for-search-query/m-p/520418#M146534 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/67502">@keyu921</a>,</P><P>good for you.</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 19 Sep 2020 10:20:13 GMT https://community.splunk.com/t5/Splunk-Search/CSV-Lookup-for-search-query/m-p/520418#M146534 gcusello 2020-09-19T10:20:13Z