Getting Data In

How to use a csv file to search fields.

Path Finder

Hi,

I am trying to use a CSV file to search variables as i was using an OR command but the amount of variables is increasing, however its not returning any results.

sourcetype=drmssalog | search [ inputlookup domainprovisioningmaster.csv | return 10000 hhRef ] | table hhRef

thanks.

Tags (1)
1 Solution

Path Finder

So after alot of web searching i got the search string;
sourcetype=drmssalog [inputlookup test_csv.csv | return 10000 hhRef=hhRef]

where test_csv.csv look like
hhRef
001AB12
0034526
00BD741
0035682A

it reads the list as hhRef and the return 10000 hhRef=hhRef mean return the 10000 values and assign the alias hhRef to the field hhRef.

I did try " | fields hhRef " but I think this just searches for 001AB12 accross the whole log file.

View solution in original post

Path Finder

So after alot of web searching i got the search string;
sourcetype=drmssalog [inputlookup test_csv.csv | return 10000 hhRef=hhRef]

where test_csv.csv look like
hhRef
001AB12
0034526
00BD741
0035682A

it reads the list as hhRef and the return 10000 hhRef=hhRef mean return the 10000 values and assign the alias hhRef to the field hhRef.

I did try " | fields hhRef " but I think this just searches for 001AB12 accross the whole log file.

View solution in original post

SplunkTrust
SplunkTrust

Try this:

sourcetype=drm_ssa_log | lookup domain_provisioning_master foo | table hhRef

Where 'foo' is a field in both the drmssalog sourcetype and in the CSV. The lookup command will return all fields from the CSV.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

Thanks for the prompt response Rich,
I get the following error;
Error in 'lookup' command: The lookup table 'domainprovisioningmaster' does not exist.

i think i should have said that the csv file is from an excel doc, its a single colomn of figures, the foo part is a field in the drmssalog called hhRef, so my search looks like;

sourcetype=drmssalog | lookup domainprovisioningmaster hhRef | table hhRef

0 Karma

SplunkTrust
SplunkTrust

If hhRef already exists in drmssalog, what is the lookup for?
If the CSV is just a single column of numbers, then you have no way to correlate the data in the CSV with the events from your search.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

the hhRef in the csv table is a partial amount of users that need to be checked on the system

0 Karma

SplunkTrust
SplunkTrust

I don't understand that statement. How do you map hhRef from drmssalog to the appropriate hhRef value in the CSV?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

apologies i am very new to Splunk and coding.
I had an OR statement to find some entries in a log file where the field hhRef=001TR12, this was fine but the number of hhRef values is increasing and i thought using a csv file would be a better alternative to a really long OR statement which i keep having to edit.
So my csv file is;
001AB12
0034526
00BD741
0035682A
I want to parse these values into a search as the field hhRef.

hope thats clearer 🙂

0 Karma