Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter results by CSV Lookup?

driva
Path Finder
‎01-28-2020 04:52 AM

Hi guys,

I'm working with the syslogs of a basic web filter. I have a CSV file containing "bad words searched" that I'd like to report on. Essentially, I'd like to create a Table with Username, IP and the "Bad Word Searched". Currently I can create a a table with Username, IP and ALL words searched but not able to filter results based on the lookup.

My current search is:

index=WebFilter | stats count by Web_username, Web_IP, Web_GoogleSearch | sort -count

How could I use a lookup file to filter the results?

Ideally I'd like something like this but I can't get the syntax right as I'm not sure how to apply this to the results properly: 

index=WebFilter [| inputlookup BadWords.csv | rename BadWordsList as Web_BadWords] | stats count by Web_username, Web_IP, Web_GoogleSearch, Web_BadWords | sort -count

Any guidance would be amazing, thank you.

Best wishes,
D

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

driva
Path Finder
‎01-28-2020 08:18 AM

I managed to solve it, the search needed was:

 index=WebFilter [| inputlookup BadWords.csv | eval BadWordsList="*"+BadWordsList+"*" | rename BadWordsList as web_GoogleSearch] | stats count by web_GoogleSearch, web_User, _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

driva
Path Finder
‎01-28-2020 08:18 AM

I managed to solve it, the search needed was:

 index=WebFilter [| inputlookup BadWords.csv | eval BadWordsList="*"+BadWordsList+"*" | rename BadWordsList as web_GoogleSearch] | stats count by web_GoogleSearch, web_User, _time
0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-28-2020 06:35 AM

You can try:

index=WebFilter | lookup BadWords.csv BadWordsList as Web_BadWords OUTPUT BadWordsList | stats count by Web_username, Web_IP, Web_GoogleSearch, BadWordsList | sort -count

0 Karma
Reply
Solved! Jump to solution

driva
Path Finder
‎01-28-2020 06:44 AM

Hi, thanks for your response! I tried the search which didn't throw up an error this (which is good) however I get back 0 results. Would this be because the Web_GoogleSearch contains the bad word within the string and not an exact match in the CSV file? If this is the case, is there anything I can do to say 'if Web_GoogleSearch contains word from list, output the results'? Thanks for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...