Getting Data In

Reference values in CSV versus hardcoding search query for desired results

orion44
Communicator

It is possible to have Splunk reference values inside a CSV file at search time? This is much needed as I'm currently hardcoding static values into multiple reports' search queries.

Example report:
index=datalog AND Name=Tim AND Name=Bob AND Name=Jenn AND Name=Stacy | table Name _time

How can I put the names into a CSV (on the indexer) to be referenced at search time for multiple reports?

Desired result:
names.csv (Name each line)
index=datalog AND Name IN names.csv | table Name _time

0 Karma

Shan
Builder

Dear @orion44,

Write now your writing query as mentioned below.
Example report:
index=datalog AND Name=Tim AND Name=Bob AND Name=Jenn AND Name=Stacy | table Name _time

Your wishing to write the query as mentioned below. you don't want to hard-coding the Name value in query. You need to store it in a CSV file and use it in all the query. am i right.
Desired result:
names.csv (Name each line)
index=datalog AND Name IN names.csv | table Name _time

Steps:
1. create a csv file and enter all the names in it.
2. upload the names.csv file as lookup table. Follow the steps in below link. Filed name in both names.csv and index=datalog should be same.
[https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationto...]
3. Use the lookup file and create a query as mentioned below.

 index=datalog 
| lookup names.csv Name OUTPUTNEW   Name
| table Name _time

Give a try and let me know whether its works or not..

Thanks ..

0 Karma

orion44
Communicator

Thank you for the suggestion. Unfortunately a static lookup doesn't achieve what I want as the names in names.csv changes frequently. I just need to be able to reference variables (names) in a csv file instead of hardcoding them at search time.

0 Karma

mydog8it
Builder

Try using 'join' to pull in the values from the csv. Assuming the data has a field called 'name' as well as the csv the search would look like this:
index=datalog | join name [inputlookup names.csv] | table name _time

0 Karma

mydog8it
Builder

I think I might have misunderstood your question.... My suggestion above would pull names from a csv and look for them in the data. If you are wanting to create a csv that contains the name and _time from the data try something like this (you will need to decide on append):
index=datalog | table name _time | outputlookup append=[true or false] names.csv

Then you can use join as shown above for report generation.

0 Karma

orion44
Communicator

Thanks, I'm wanting to match strings inside a csv (on the indexer) when I perform a query for specific names (as part of a eval statement) at search time. Currently I'm hardcoding the names into the search query – however this method doesn't scale and requires updating multiple reports when names are added to the required search criteria.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...