topic Re: Lookup against multiple columns in CSV file in Splunk Search

How to lookup against multiple columns in CSV file?

neerajs_81 — Tue, 08 Mar 2022 02:39:38 GMT

Hello All,
how can we search against 2 columns of a CSV lookup file and if the value of the field that i am searching for happens to be either of the 2 columns, then exclude those results ? Kind of a whitelist.

Lets say i have a csv table of 2 columns as follows

URLs	UA

i am searching against my firewall logs and if the url field in the events matches against URLs column of the table OR the user_agent field from events matches the UA column of the table, then exclude those events
This is what i have come up with but its not working...

Re: Lookup against multiple columns in CSV file

ITWhisperer — Fri, 04 Mar 2022 13:02:30 GMT

Try AND instead of OR

Re: Lookup against multiple columns in CSV file

neerajs_81 — Mon, 07 Mar 2022 04:01:01 GMT

Thanks a lot. Is there other way to merge checking against multiple columns in one input lookup command given that its referencing the same csv file ?
Right now as you can see we are calling | inputlookup twice for the same csv . Any way to consolidate into one ?

Re: Lookup against multiple columns in CSV file

PickleRick — Mon, 07 Mar 2022 06:15:17 GMT

You could try to somehow transform the inputlookup results in order to split it and form a single usable subsearch but unless it's a huge set, there's no much point.

I don't like subsearches as such but sometimes they are unavoidable. And in your case the subsearches seem to be fairly quick. And remember that they are evaluated before the main search so you don't have to evaluate those inputlookups separately for each main search result line.