Getting Data In

Reference values in CSV versus hardcoding search query for desired results

orion44
Communicator

It is possible to have Splunk reference values inside a CSV file at search time? This is much needed as I'm currently hardcoding static values into multiple reports' search queries.

Example report:
index=datalog AND Name=Tim AND Name=Bob AND Name=Jenn AND Name=Stacy | table Name _time

How can I put the names into a CSV (on the indexer) to be referenced at search time for multiple reports?

Desired result:
names.csv (Name each line)
index=datalog AND Name IN names.csv | table Name _time

0 Karma

Shan
Builder

Dear @orion44,

Write now your writing query as mentioned below.
Example report:
index=datalog AND Name=Tim AND Name=Bob AND Name=Jenn AND Name=Stacy | table Name _time

Your wishing to write the query as mentioned below. you don't want to hard-coding the Name value in query. You need to store it in a CSV file and use it in all the query. am i right.
Desired result:
names.csv (Name each line)
index=datalog AND Name IN names.csv | table Name _time

Steps:
1. create a csv file and enter all the names in it.
2. upload the names.csv file as lookup table. Follow the steps in below link. Filed name in both names.csv and index=datalog should be same.
[https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationto...]
3. Use the lookup file and create a query as mentioned below.

 index=datalog 
| lookup names.csv Name OUTPUTNEW   Name
| table Name _time

Give a try and let me know whether its works or not..

Thanks ..

0 Karma

orion44
Communicator

Thank you for the suggestion. Unfortunately a static lookup doesn't achieve what I want as the names in names.csv changes frequently. I just need to be able to reference variables (names) in a csv file instead of hardcoding them at search time.

0 Karma

mydog8it
Builder

Try using 'join' to pull in the values from the csv. Assuming the data has a field called 'name' as well as the csv the search would look like this:
index=datalog | join name [inputlookup names.csv] | table name _time

0 Karma

mydog8it
Builder

I think I might have misunderstood your question.... My suggestion above would pull names from a csv and look for them in the data. If you are wanting to create a csv that contains the name and _time from the data try something like this (you will need to decide on append):
index=datalog | table name _time | outputlookup append=[true or false] names.csv

Then you can use join as shown above for report generation.

0 Karma

orion44
Communicator

Thanks, I'm wanting to match strings inside a csv (on the indexer) when I perform a query for specific names (as part of a eval statement) at search time. Currently I'm hardcoding the names into the search query – however this method doesn't scale and requires updating multiple reports when names are added to the required search criteria.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...