Getting Data In

Limit Results with CSV

nspatel
Explorer

Hi Everyone,

I have run into a problem I am not able to easily solve with Splunk. I have splunk query that returns some data, user name, appname, and app time accessed. This returns results for all users.

I separately have a list of users. I am trying to find the fields listed above for the list of users. I have uploaded the list of users both as file and lookup. I am not able to get the search to only return the list of users. search info below. Thanks!

index=prod_index sourcetype=MySource | rex field=_raw "<<LOT OF COMPLEX REGEX>>(?<appname>[^]]) (?<userName>[^]])"
AND
|inputlookup UserList.csv | rename "Garbage Name" as userName

I can not figure out how to get these two searches to merged. Any help would be great thanks!

Tags (3)
0 Karma
1 Solution

nspatel
Explorer

index=prod_index sourcetype=MySource | rex field=_raw "<<LOT OF COMPLEX REGEX>>(?<appname>[^]]) (?<userName>[^]])" | fields appname, userName, date | join userName[|inputlookup UserList.csv | rename "Garbage Name" as userName]

Seem to do it thanks!

View solution in original post

0 Karma

acharlieh
Influencer

This is actually pretty easy using subsearches provided you are within limits as listed on that page.

index=prod_index sourcetype=MySource 
| rex field=_raw "&lt;&lt;LOT OF COMPLEX REGEX&gt;&gt;(?&lt;appname&gt;[^]]) (?&lt;userName&gt;[^]])"
| where [inputlookup UserList.csv | rename "Garbage Name" as userName | fields userName]

The results of the subsearch gets expanded into a search expression ((userName="foo") OR (userName="bar") ... ) and put into the parent search.

Additionally, if you're able to build a field extractions in MySource and get rid of the rex command you can even simplify this further to a single search expression:

index=prod_index sourcetype=MySource [inputlookup UserList.csv | rename "Garbage Name" as userName | fields userName]
0 Karma

nspatel
Explorer

index=prod_index sourcetype=MySource | rex field=_raw "<<LOT OF COMPLEX REGEX>>(?<appname>[^]]) (?<userName>[^]])" | fields appname, userName, date | join userName[|inputlookup UserList.csv | rename "Garbage Name" as userName]

Seem to do it thanks!

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...