Solved: Limit Results with CSV

nspatel · ‎05-11-2015

Hi Everyone,

I have run into a problem I am not able to easily solve with Splunk. I have splunk query that returns some data, user name, appname, and app time accessed. This returns results for all users.

I separately have a list of users. I am trying to find the fields listed above for the list of users. I have uploaded the list of users both as file and lookup. I am not able to get the search to only return the list of users. search info below. Thanks!

index=prod_index sourcetype=MySource | rex field=_raw "<<LOT OF COMPLEX REGEX>>(?<appname>[^]]) (?<userName>[^]])"
AND
|inputlookup UserList.csv | rename "Garbage Name" as userName

I can not figure out how to get these two searches to merged. Any help would be great thanks!

nspatel · ‎05-11-2015

Seem to do it thanks!

View solution in original post

acharlieh · ‎05-11-2015

This is actually pretty easy using subsearches provided you are within limits as listed on that page.

index=prod_index sourcetype=MySource 
| rex field=_raw "&lt;&lt;LOT OF COMPLEX REGEX&gt;&gt;(?&lt;appname&gt;[^]]) (?&lt;userName&gt;[^]])"
| where [inputlookup UserList.csv | rename "Garbage Name" as userName | fields userName]

The results of the subsearch gets expanded into a search expression ((userName="foo") OR (userName="bar") ... ) and put into the parent search.

Additionally, if you're able to build a field extractions in MySource and get rid of the rex command you can even simplify this further to a single search expression:

index=prod_index sourcetype=MySource [inputlookup UserList.csv | rename "Garbage Name" as userName | fields userName]

nspatel · ‎05-11-2015

Seem to do it thanks!

Limit Results with CSV

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor