Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I use a CSV of email addresses to search i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I'm having a little trouble querying with a CSV and wondered if you could provide assistance.
I have a CSV with a lot of email addresses:
Layout of Emails.csv
Emails
Email1@address.com
Email2@address.com
Email3@address.com
and so forth.
The query I'm using is:
index=index1 sourcetype=MessageTracking | search [|inputlookup Emails.csv | rename Emails as address | fields address ] | table address, directionality
directionality is a field in the sourcetype MessageTracking. Unfortunately I am getting no results out of the query, although there are addresses in that sourcetype and the csv which I've queried and do get results back for.
Any help would be appreciated.
Thanks
Steve
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first thing to do is check the spelling and capitalization of the field name for the email addresses. The field names must be spelled exactly like Emails in the csv, and address in index1.
Your subsearch will resolve into a string that looks like this:
( ( address="Email1@address.com" ) OR ( address="Email2@address.com") OR ... )
If the field name is not exactly correct, then that will, of course, find nothing.
The second thing to do is run this...
index=index1 sourcetype=MessageTracking
| search [| inputlookup Emails.csv | rename Emails as address | table address ]
| table address, directionality
That should have no different effect, since there should not be any extra hidden fields from an inputlookup, but if it solves something, then we'll figure out why it did.
The third thing is to try this...
index=index1 sourcetype=MessageTracking
| search [| makeresults | eval address="Email1@address.com" | table address ]
| table address, directionality
If that doesn't work for you, then, again, there is something wrong with the field name or the data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first thing to do is check the spelling and capitalization of the field name for the email addresses. The field names must be spelled exactly like Emails in the csv, and address in index1.
Your subsearch will resolve into a string that looks like this:
( ( address="Email1@address.com" ) OR ( address="Email2@address.com") OR ... )
If the field name is not exactly correct, then that will, of course, find nothing.
The second thing to do is run this...
index=index1 sourcetype=MessageTracking
| search [| inputlookup Emails.csv | rename Emails as address | table address ]
| table address, directionality
That should have no different effect, since there should not be any extra hidden fields from an inputlookup, but if it solves something, then we'll figure out why it did.
The third thing is to try this...
index=index1 sourcetype=MessageTracking
| search [| makeresults | eval address="Email1@address.com" | table address ]
| table address, directionality
If that doesn't work for you, then, again, there is something wrong with the field name or the data.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
