Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Importing Values for a Search from a CSV File

anording
Engager
‎10-01-2020 12:07 AM

Hello,

I´m new to splunk and need a short hint, concerning the following question:

I have some Firewall logs in Splunk and would like to search in the Destination (DST) field for specific Servers.

I uploaded a Server-2.csv and a " | inputlookup Server-2.csv  " shows the content of the file correctly.

A manual search like " index=firewall DST=8.8.8.8 " works fine.

From my point of view a " index=firewall [ | inputlookup Server-2.csv | table DST ] " should do a search for every entry in the CSV file, but I get no error and no result.
There should be a result because 8.8.8.8 is in the CSV as first entry.
Is the table entry the wrong syntax?

Sorry if this question is too simple, but I really would appreciate some hints.

Thx

André  
 

Labels (1)
Labels
0 Karma
Reply

anording
Engager
‎10-01-2020 05:39 AM

Dear thambisetty,

thx for the ultrafast reply. 😄

 

When i try your example, i will get the following error:
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

The field DST is available in firewall raw events.

In the CSV File are only plain IP adresses nothing else.

Do i have to define a new field called "newfieldfromcsv", and if yes how?

I know newbie questions.  😆

THX again for your help!

André

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎10-01-2020 02:58 AM

[ | inputlookup Server-2.csv | table DST ]  is called sub search in Splunk. It has got limitations in the way you are using it.

can you try using lookup command like below:

assuming field DST is available in firewall raw events as well.

newfieldfromcsv is extra field from lookup and this will be used to get events matched with firewall events 

index=firewall | stats count by DST
| lookup Server-2.csv DST OUTPUT newfieldfromcsv
| where isnotnull(newfieldfromcsv)

 

————————————
If this helps, give a like below.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...