Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to use a csv file to search fields.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-08-2015
07:27 AM
Hi,
I am trying to use a CSV file to search variables as i was using an OR command but the amount of variables is increasing, however its not returning any results.
sourcetype=drm_ssa_log | search [ inputlookup domain_provisioning_master.csv | return 10000 hhRef ] | table hhRef
thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-09-2015
12:54 AM
So after alot of web searching i got the search string;
sourcetype=drm_ssa_log [inputlookup test_csv.csv | return 10000 hhRef=hhRef]
where test_csv.csv look like
hhRef
001AB12
0034526
00BD741
0035682A
it reads the list as hhRef and the return 10000 hhRef=hhRef mean return the 10000 values and assign the alias hhRef to the field hhRef.
I did try " | fields hhRef " but I think this just searches for 001AB12 accross the whole log file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-09-2015
12:54 AM
So after alot of web searching i got the search string;
sourcetype=drm_ssa_log [inputlookup test_csv.csv | return 10000 hhRef=hhRef]
where test_csv.csv look like
hhRef
001AB12
0034526
00BD741
0035682A
it reads the list as hhRef and the return 10000 hhRef=hhRef mean return the 10000 values and assign the alias hhRef to the field hhRef.
I did try " | fields hhRef " but I think this just searches for 001AB12 accross the whole log file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
07-08-2015
08:05 AM
Try this:
sourcetype=drm_ssa_log | lookup domain_provisioning_master foo | table hhRef
Where 'foo' is a field in both the drm_ssa_log sourcetype and in the CSV. The lookup command will return all fields from the CSV.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-08-2015
08:23 AM
Thanks for the prompt response Rich,
I get the following error;
Error in 'lookup' command: The lookup table 'domain_provisioning_master' does not exist.
i think i should have said that the csv file is from an excel doc, its a single colomn of figures, the foo part is a field in the drm_ssa_log called hhRef, so my search looks like;
sourcetype=drm_ssa_log | lookup domain_provisioning_master hhRef | table hhRef
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
07-08-2015
08:32 AM
If hhRef already exists in drm_ssa_log, what is the lookup for?
If the CSV is just a single column of numbers, then you have no way to correlate the data in the CSV with the events from your search.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-08-2015
08:35 AM
the hhRef in the csv table is a partial amount of users that need to be checked on the system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
07-08-2015
09:47 AM
I don't understand that statement. How do you map hhRef from drm_ssa_log to the appropriate hhRef value in the CSV?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssaenger
Communicator
07-08-2015
11:20 PM
apologies i am very new to Splunk and coding.
I had an OR statement to find some entries in a log file where the field hhRef=001TR12, this was fine but the number of hhRef values is increasing and i thought using a csv file would be a better alternative to a really long OR statement which i keep having to edit.
So my csv file is;
001AB12
0034526
00BD741
0035682A
I want to parse these values into a search as the field hhRef.
hope thats clearer 🙂
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
