Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter results by CSV Lookup?

driva
Path Finder
‎01-28-2020 04:52 AM

Hi guys,

I'm working with the syslogs of a basic web filter. I have a CSV file containing "bad words searched" that I'd like to report on. Essentially, I'd like to create a Table with Username, IP and the "Bad Word Searched". Currently I can create a a table with Username, IP and ALL words searched but not able to filter results based on the lookup.

My current search is:

index=WebFilter | stats count by Web_username, Web_IP, Web_GoogleSearch | sort -count

How could I use a lookup file to filter the results?

Ideally I'd like something like this but I can't get the syntax right as I'm not sure how to apply this to the results properly: 

index=WebFilter [| inputlookup BadWords.csv | rename BadWordsList as Web_BadWords] | stats count by Web_username, Web_IP, Web_GoogleSearch, Web_BadWords | sort -count

Any guidance would be amazing, thank you.

Best wishes,
D

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

driva
Path Finder
‎01-28-2020 08:18 AM

I managed to solve it, the search needed was:

 index=WebFilter [| inputlookup BadWords.csv | eval BadWordsList="*"+BadWordsList+"*" | rename BadWordsList as web_GoogleSearch] | stats count by web_GoogleSearch, web_User, _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

driva
Path Finder
‎01-28-2020 08:18 AM

I managed to solve it, the search needed was:

 index=WebFilter [| inputlookup BadWords.csv | eval BadWordsList="*"+BadWordsList+"*" | rename BadWordsList as web_GoogleSearch] | stats count by web_GoogleSearch, web_User, _time
0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-28-2020 06:35 AM

You can try:

index=WebFilter | lookup BadWords.csv BadWordsList as Web_BadWords OUTPUT BadWordsList | stats count by Web_username, Web_IP, Web_GoogleSearch, BadWordsList | sort -count

0 Karma
Reply
Solved! Jump to solution

driva
Path Finder
‎01-28-2020 06:44 AM

Hi, thanks for your response! I tried the search which didn't throw up an error this (which is good) however I get back 0 results. Would this be because the Web_GoogleSearch contains the bad word within the string and not an exact match in the CSV file? If this is the case, is there anything I can do to say 'if Web_GoogleSearch contains word from list, output the results'? Thanks for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...