All Apps and Add-ons

inputlookup

sd248011
New Member

Hello,

I know to view a csv, I can run | inputlookup asdf.csv. How would I be able to view multiple csvs in one search query?

0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

A better solution would be:

|inputlookup file1.csv | inputlookup file2.csv append=t|...

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

A better solution would be:

|inputlookup file1.csv | inputlookup file2.csv append=t|...

sd248011
New Member

Ah, got it. Thanks much!

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

My initial answer had an append=t because I normally append lookups to search results. Try this: |inputlookup c2_zeus.csv | inputlookup DNS_DOMAINS_malware.csv append=t

0 Karma

sd248011
New Member

The c2_zeus.csv is the first. Then I have append=t after that and the second csv. My example above is exactly like how your query was stated originally. It just doesn't let you put a subsequent inputlookup command after the initial one.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

You have them backwards. Swap the two. For each inputlookup after the first, you need "append=t"

0 Karma

sd248011
New Member

|inputlookup c2_zeus.csv append=t| inputlookup DNS_Domains_malware.csv

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

can you post your search that is failing?

0 Karma

sd248011
New Member

I do. It is because inputlookup is stated after the append. I can run the | inputlookup file1.csv just fine. It is the subsequent csvs I can't seem to also pull up.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

make sure you have a | at the front of your search, and that it is the first command in the search.

0 Karma

sd248011
New Member

I receive this error:

Error in 'inputlookup' command: This command must be the first command of a search.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

inputlookup, append, inputlookup, append, ...?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...