Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to use a csv file to search fields.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-08-2015
07:27 AM
Hi,
I am trying to use a CSV file to search variables as i was using an OR command but the amount of variables is increasing, however its not returning any results.
sourcetype=drm_ssa_log | search [ inputlookup domain_provisioning_master.csv | return 10000 hhRef ] | table hhRef
thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-09-2015
12:54 AM
So after alot of web searching i got the search string;
sourcetype=drm_ssa_log [inputlookup test_csv.csv | return 10000 hhRef=hhRef]
where test_csv.csv look like
hhRef
001AB12
0034526
00BD741
0035682A
it reads the list as hhRef and the return 10000 hhRef=hhRef mean return the 10000 values and assign the alias hhRef to the field hhRef.
I did try " | fields hhRef " but I think this just searches for 001AB12 accross the whole log file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-09-2015
12:54 AM
So after alot of web searching i got the search string;
sourcetype=drm_ssa_log [inputlookup test_csv.csv | return 10000 hhRef=hhRef]
where test_csv.csv look like
hhRef
001AB12
0034526
00BD741
0035682A
it reads the list as hhRef and the return 10000 hhRef=hhRef mean return the 10000 values and assign the alias hhRef to the field hhRef.
I did try " | fields hhRef " but I think this just searches for 001AB12 accross the whole log file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
07-08-2015
08:05 AM
Try this:
sourcetype=drm_ssa_log | lookup domain_provisioning_master foo | table hhRef
Where 'foo' is a field in both the drm_ssa_log sourcetype and in the CSV. The lookup command will return all fields from the CSV.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-08-2015
08:23 AM
Thanks for the prompt response Rich,
I get the following error;
Error in 'lookup' command: The lookup table 'domain_provisioning_master' does not exist.
i think i should have said that the csv file is from an excel doc, its a single colomn of figures, the foo part is a field in the drm_ssa_log called hhRef, so my search looks like;
sourcetype=drm_ssa_log | lookup domain_provisioning_master hhRef | table hhRef
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
07-08-2015
08:32 AM
If hhRef already exists in drm_ssa_log, what is the lookup for?
If the CSV is just a single column of numbers, then you have no way to correlate the data in the CSV with the events from your search.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-08-2015
08:35 AM
the hhRef in the csv table is a partial amount of users that need to be checked on the system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
07-08-2015
09:47 AM
I don't understand that statement. How do you map hhRef from drm_ssa_log to the appropriate hhRef value in the CSV?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-08-2015
11:20 PM
apologies i am very new to Splunk and coding.
I had an OR statement to find some entries in a log file where the field hhRef=001TR12, this was fine but the number of hhRef values is increasing and i thought using a csv file would be a better alternative to a really long OR statement which i keep having to edit.
So my csv file is;
001AB12
0034526
00BD741
0035682A
I want to parse these values into a search as the field hhRef.
hope thats clearer 🙂
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
