Getting Data In

Reference values in CSV versus hardcoding search query for desired results

orion44
Communicator

It is possible to have Splunk reference values inside a CSV file at search time? This is much needed as I'm currently hardcoding static values into multiple reports' search queries.

Example report:
index=datalog AND Name=Tim AND Name=Bob AND Name=Jenn AND Name=Stacy | table Name _time

How can I put the names into a CSV (on the indexer) to be referenced at search time for multiple reports?

Desired result:
names.csv (Name each line)
index=datalog AND Name IN names.csv | table Name _time

0 Karma

Shan
Builder

Dear @orion44,

Write now your writing query as mentioned below.
Example report:
index=datalog AND Name=Tim AND Name=Bob AND Name=Jenn AND Name=Stacy | table Name _time

Your wishing to write the query as mentioned below. you don't want to hard-coding the Name value in query. You need to store it in a CSV file and use it in all the query. am i right.
Desired result:
names.csv (Name each line)
index=datalog AND Name IN names.csv | table Name _time

Steps:
1. create a csv file and enter all the names in it.
2. upload the names.csv file as lookup table. Follow the steps in below link. Filed name in both names.csv and index=datalog should be same.
[https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationto...]
3. Use the lookup file and create a query as mentioned below.

 index=datalog 
| lookup names.csv Name OUTPUTNEW   Name
| table Name _time

Give a try and let me know whether its works or not..

Thanks ..

0 Karma

orion44
Communicator

Thank you for the suggestion. Unfortunately a static lookup doesn't achieve what I want as the names in names.csv changes frequently. I just need to be able to reference variables (names) in a csv file instead of hardcoding them at search time.

0 Karma

mydog8it
Builder

Try using 'join' to pull in the values from the csv. Assuming the data has a field called 'name' as well as the csv the search would look like this:
index=datalog | join name [inputlookup names.csv] | table name _time

0 Karma

mydog8it
Builder

I think I might have misunderstood your question.... My suggestion above would pull names from a csv and look for them in the data. If you are wanting to create a csv that contains the name and _time from the data try something like this (you will need to decide on append):
index=datalog | table name _time | outputlookup append=[true or false] names.csv

Then you can use join as shown above for report generation.

0 Karma

orion44
Communicator

Thanks, I'm wanting to match strings inside a csv (on the indexer) when I perform a query for specific names (as part of a eval statement) at search time. Currently I'm hardcoding the names into the search query – however this method doesn't scale and requires updating multiple reports when names are added to the required search criteria.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...