topic Re: Using lookup (.csv file) to filter events in Splunk Search

Using lookup (.csv file) to filter events

bagarwal — Fri, 06 Jan 2017 04:54:20 GMT

I am creating a new post, as though I found similar questions but could not get the right solution.

I want to run a query where I can filter events using lookup file. As the file contains a list of application name it will keep adding. So I created .csv file and lookup table, lookup definition.

File name is file1.csv
Note: In my .csv file there is only one column and it looks like below: File name is file1.csv

Application ( It is the column header)
Paint
abc*
xyz*
aaa*

Query is
index="index_name" [ | inputlookup "file1.csv" | fields Application ] | table field1, field2

The above query didn't fetch any result.

Anything I am missing. Kindly help. I really will be thankful if someone can provide the solution.

Thanks & Regards,
Binay Agarwal

Re: Using lookup (.csv file) to filter events

somesoni2 — Fri, 06 Jan 2017 05:04:25 GMT

The above syntax expects there is a field called Application in your events.

IF you don't have that field and want to do text based search, try like this

index="index_name" [ | inputlookup "file1.csv" | table Application | rename Application as search ] | table field1, field2

If you have a field which contains this Application values, but have different name, try like this

index="index_name" [ | inputlookup "file1.csv" | table Application | rename Application as FieldNameInYourEvents] | table field1, field2

Re: Using lookup (.csv file) to filter events

bagarwal — Fri, 06 Jan 2017 05:47:19 GMT

Hi @somesoni2,

Thank You so much. This is exactly needed 🙂 A BIG THANK YOU once again. 🙂

Best Regards,
Binay Agarwal

Re: Using lookup (.csv file) to filter events

bagarwal — Mon, 09 Jan 2017 03:36:34 GMT

Hi,

Now since I am getting the result and to make it more flexible, in dashboard, I want to add input textbox where we can search via field values in application so for any particular value I can write in search box and run the query.

e.g. if my field2 contains abc ; I want to type abc is search box and click submit and all results containing abc of that field will pull out the report.

Can anyone please help in that.

Thanks & Regards,
Binay Agarwal

Re: Using lookup (.csv file) to filter events

somesoni2 — Mon, 09 Jan 2017 04:34:30 GMT

See the example dashboard of the textbox form input on Splunk documentation.

http://docs.splunk.com/Documentation/Splunk/6.3.0/Viz/PanelreferenceforSimplifiedXML#input_type_.22text.22

Also, would suggest to download and install "Splunk 6.x Dashboard Example" app which has this and many other sample dashboards.

Re: Using lookup (.csv file) to filter events

bagarwal — Mon, 09 Jan 2017 07:56:59 GMT

Thanks @somesoni2. It helps 🙂

Re: Using lookup (.csv file) to filter events

bagarwal — Tue, 10 Jan 2017 05:30:51 GMT

Hi,

The dashboard is perfectly prepared. One additional thing required. Need to add the field with username, but the challenge is user field is not available in raw event. So any way we can co-relate or pull username matches with the host name and display username in the report.

Query looks like this:

index="index_name" [ | inputlookup | table Application | rename Application as App ] | table host, App

And want to add one more column username so query should be | table host, username, App

Would be thankful if someone can help on this.

Thanks & Regards,
Binay Agarwal

Re: Using lookup (.csv file) to filter events

somesoni2 — Tue, 10 Jan 2017 05:46:34 GMT

From where you can get the user name when you say you can pull from the host name? Is there a mapping exists which relates host with user?

Re: Using lookup (.csv file) to filter events

bagarwal — Tue, 10 Jan 2017 07:50:42 GMT

Hi @somesoni2,

I mean if we can pull out from other source if hostname and username are present in say in firewall logs (different index ) or in different search head. Not sure how that could be .

and also if there is any way to retrieve username when the details are not present in raw logs at all.

Thanks inadvance.

Best Regards,
Binay Agarwal

Re: Using lookup (.csv file) to filter events

bagarwal — Tue, 17 Jan 2017 11:27:26 GMT

Hi @somesoni2, all,

Would like to add feature in my lookup file .
Now I have 2 columns the .csv file
Application Category_Y
Paint Y
abc* Y
xyz*
aaa* Y

Now I want to write a query that gives the result when Catogory_Y =Y

Current Query:
index="index_name" [ | inputlookup | table Application | rename Application as App ] | table host, App

Kindly suggest changes need to be made in the query to match the condition and get the result.

Thanks in advance

Best Regards,
Binay Agarwal

Re: Using lookup (.csv file) to filter events

bagarwal — Tue, 29 Sep 2020 12:27:56 GMT

Hi @somesoni2, all,

Would like to add feature in my lookup file .
Now I have 2 columns the .csv file
Application, Category_Y
Paint, Y
abc*, Y
xyz*
aaa*, Y

Now I want to write a query that gives the result when Catogory_Y =Y

Current Query:
index="index_name" [ | inputlookup | table Application | rename Application as App ] | table host, App

Kindly suggest changes need to be made in the query to match the condition and get the result.

Thanks in advance

Best Regards,
Binay Agarwal