How can I filter a field using a lookup csv file?

tomscott21 · ‎03-18-2020

I have a csv file called ports.csv, this contains one column called "port", this contains all of the port numbers 0-1024. I want to use this csv to filter the dest_port field in my Splunk search.

So essentially I want to only see events that have which have the destination port 0-1024, how can I do this?. Is there an easier way to do this without a CSV lookupfile? o

woodcock · ‎03-18-2020

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND NOT [ |inputlookup MyPortLookupFileHere.csv | table MyPortFieldNameHere | rename MyPortFieldNameHere AS dest_port ]

But why not just do as @richgalloway suggested like this?

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND dest_port<=1024

richgalloway · ‎03-18-2020

Have you tried putting dest_port <= 1024 in your base search?

---
If this reply helps you, Karma would be appreciated.

How can I filter a field using a lookup csv file?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation

How can I filter a field using a lookup csv file?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...