Archive
Highlighted

inputcsv match anywhere

Contributor

I have a list of usernames in a CSV file. I want to find any events that contain any of these usernames in raw. I cannot guarantee that there is a field called user or affecteduser for every event, so I want to match anywhere in the string. If I try the following, it only matches for the first user:

.. [ inputcsv userlist.csv |return $user ]

but this only matches on the first user in the list.

Does anyone know how I can match any of the users (words) in a list?

This should be the same whether I am using inputcsv or inputlookup.

0 Karma
Highlighted

Re: inputcsv match anywhere

Contributor

Running 4.3.1 search head...

0 Karma
Highlighted

Re: inputcsv match anywhere

Legend
... [inputcsv userlist.csv | rename user as query | fields query]

"query" (or "search" if you prefer, has same effect) is a special field name that makes Splunk omit the 'field=value' formatting when returning from a subsearch.

View solution in original post