Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Limit Results with CSV
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone,
I have run into a problem I am not able to easily solve with Splunk. I have splunk query that returns some data, user name, appname, and app time accessed. This returns results for all users.
I separately have a list of users. I am trying to find the fields listed above for the list of users. I have uploaded the list of users both as file and lookup. I am not able to get the search to only return the list of users. search info below. Thanks!
index=prod_index sourcetype=MySource | rex field=_raw "<<LOT OF COMPLEX REGEX>>(?<appname>[^]]) (?<userName>[^]])"
AND
|inputlookup UserList.csv | rename "Garbage Name" as userName
I can not figure out how to get these two searches to merged. Any help would be great thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=prod_index sourcetype=MySource | rex field=_raw "<<LOT OF COMPLEX REGEX>>(?<appname>[^]]) (?<userName>[^]])" | fields appname, userName, date | join userName[|inputlookup UserList.csv | rename "Garbage Name" as userName]
Seem to do it thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is actually pretty easy using subsearches provided you are within limits as listed on that page.
index=prod_index sourcetype=MySource
| rex field=_raw "<<LOT OF COMPLEX REGEX>>(?<appname>[^]]) (?<userName>[^]])"
| where [inputlookup UserList.csv | rename "Garbage Name" as userName | fields userName]
The results of the subsearch gets expanded into a search expression ((userName="foo") OR (userName="bar") ... ) and put into the parent search.
Additionally, if you're able to build a field extractions in MySource and get rid of the rex command you can even simplify this further to a single search expression:
index=prod_index sourcetype=MySource [inputlookup UserList.csv | rename "Garbage Name" as userName | fields userName]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=prod_index sourcetype=MySource | rex field=_raw "<<LOT OF COMPLEX REGEX>>(?<appname>[^]]) (?<userName>[^]])" | fields appname, userName, date | join userName[|inputlookup UserList.csv | rename "Garbage Name" as userName]
Seem to do it thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
