topic Using Lookup csv file to query fieldname in Splunk Search

Using Lookup csv file to query fieldname

chrismatt02 — Wed, 23 Oct 2024 06:14:45 GMT

I have a lookup file saved with a single column having values of specific fields in it. And want to use to search in query which matched with values in field names

Example:

lookupname : test.csv
column name: column1

fieldname: field1

Re: Using Lookup csv file to query fieldname

PickleRick — Wed, 23 Oct 2024 07:15:53 GMT

OK. But do you have just one column with multiple values? Or do you have multiple columns? How would your lookup contents match the data you want to search for?

Re: Using Lookup csv file to query fieldname

ITWhisperer — Wed, 23 Oct 2024 08:00:13 GMT

This is a bit vague. Can you give an example of the type of search you are trying / wanting to do with your lookup?

Re: Using Lookup csv file to query fieldname

chrismatt02 — Thu, 24 Oct 2024 01:20:00 GMT

@ITWhisperer I am using lookup file with single column, multiple entries which contains filenames. I am trying to match that names with the Filename field in query to obtain results which matches the value.

Re: Using Lookup csv file to query fieldname

chrismatt02 — Thu, 24 Oct 2024 01:21:04 GMT

@PickleRick I am using single column multiple entries and just trying to compare values in lookup file with the logs which contains those values and output the results

Re: Using Lookup csv file to query fieldname

yuanliu — Thu, 24 Oct 2024 05:50:02 GMT

See syntax help in lookup. This is what I suggest:

| lookup column1 AS field1 test.csv output column1 as match | where isnotnull(match)

Re: Using Lookup csv file to query fieldname

PickleRick — Thu, 24 Oct 2024 11:47:37 GMT

With a relatively dense search the approach shown by @yuanliu is the most typical thing to do.

But if you expect that the search will be sparse, you might want to use the lookup by means of a subsearch to generate a set of conditions directly into your search

<your_base_search> [ | inputlookup your_lookup.csv | rename if needed ]
| <rest_of_your_search>

This might prove to be more effective if your resulting set of conditions is small and yields only a handful of events.