Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I have some data, if the message contains a word which is in a csv file, then results should show in a table. How should I edit my search?

nagarjuna280
Communicator
‎04-21-2017 07:53 PM

I have some data, if the message contains a word which is in a csv file, then results should show in a table. How should I edit my search?

I have a csv file which contains keywords like:

kill
bomb
gun
drugs
Anthrax
Arms
Attack
Atomic
If the message contains more than one word like:

take your gun
kill him
And I search like this:

search | table message, id ,name
then results should look like this:

message id name

Tags (2)
0 Karma
Reply

viji261992
Explorer
‎10-05-2018 12:01 AM

I have a .csv file whose name is bad.csv in which the column name is eventuei I want that column to be displayed in my report.
Please let me know how to pull the .csv file inside the query and display the "eventuei" column in the report.

Reply

niketn
Legend
‎04-23-2017 01:03 AM

Following query creates a dummy lookup using makeresults (In case of lookup file you can use inputlookup command instead.)

| makeresults
| eval findPattern="kill,bomb,gun,drugs,Anthrax,Arms,Attack,Atomic"
| makemv delim="," findPattern 
| mvexpand findPattern limit=10

Splunk's map command would be able to iterate though the keywords in the previous query

| map search="| makeresults | eval testData=\"Chuck Norris doesn't need gun to kill\"| eval matched=if(match(testData,\"$findPattern$\"),1,0)"
| search matched="1"
| stats sum(matched) as matched by testData
| table testData, matched

Combine the above two search which is a run anywhere example.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...