Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Limit Results with CSV

nspatel
Explorer
‎05-11-2015 08:40 AM

Hi Everyone,

I have run into a problem I am not able to easily solve with Splunk. I have splunk query that returns some data, user name, appname, and app time accessed. This returns results for all users.

I separately have a list of users. I am trying to find the fields listed above for the list of users. I have uploaded the list of users both as file and lookup. I am not able to get the search to only return the list of users. search info below. Thanks!

index=prod_index sourcetype=MySource | rex field=_raw "<<LOT OF COMPLEX REGEX>>(?<appname>[^]]) (?<userName>[^]])"
AND
|inputlookup UserList.csv | rename "Garbage Name" as userName

I can not figure out how to get these two searches to merged. Any help would be great thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nspatel
Explorer
‎05-11-2015 08:53 AM

index=prod_index sourcetype=MySource | rex field=_raw "<<LOT OF COMPLEX REGEX>>(?<appname>[^]]) (?<userName>[^]])" | fields appname, userName, date | join userName[|inputlookup UserList.csv | rename "Garbage Name" as userName]

Seem to do it thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎05-11-2015 09:02 AM

This is actually pretty easy using subsearches provided you are within limits as listed on that page. 

index=prod_index sourcetype=MySource 
| rex field=_raw "&lt;&lt;LOT OF COMPLEX REGEX&gt;&gt;(?&lt;appname&gt;[^]]) (?&lt;userName&gt;[^]])"
| where [inputlookup UserList.csv | rename "Garbage Name" as userName | fields userName]

The results of the subsearch gets expanded into a search expression ((userName="foo") OR (userName="bar") ... ) and put into the parent search.

Additionally, if you're able to build a field extractions in MySource and get rid of the rex command you can even simplify this further to a single search expression:

index=prod_index sourcetype=MySource [inputlookup UserList.csv | rename "Garbage Name" as userName | fields userName]
0 Karma
Reply
Solved! Jump to solution
Solution

nspatel
Explorer
‎05-11-2015 08:53 AM

index=prod_index sourcetype=MySource | rex field=_raw "<<LOT OF COMPLEX REGEX>>(?<appname>[^]]) (?<userName>[^]])" | fields appname, userName, date | join userName[|inputlookup UserList.csv | rename "Garbage Name" as userName]

Seem to do it thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...