Re: Reference values in CSV versus hardcoding sear...

orion44 · ‎06-09-2019

It is possible to have Splunk reference values inside a CSV file at search time? This is much needed as I'm currently hardcoding static values into multiple reports' search queries.

Example report:
index=datalog AND Name=Tim AND Name=Bob AND Name=Jenn AND Name=Stacy | table Name _time

How can I put the names into a CSV (on the indexer) to be referenced at search time for multiple reports?

Desired result:
names.csv (Name each line)
index=datalog AND Name IN names.csv | table Name _time

Shan · ‎06-10-2019

Dear @orion44,

Write now your writing query as mentioned below.
Example report:
index=datalog AND Name=Tim AND Name=Bob AND Name=Jenn AND Name=Stacy | table Name _time

Your wishing to write the query as mentioned below. you don't want to hard-coding the Name value in query. You need to store it in a CSV file and use it in all the query. am i right.
Desired result:
names.csv (Name each line)
index=datalog AND Name IN names.csv | table Name _time

Steps:
1. create a csv file and enter all the names in it.
2. upload the names.csv file as lookup table. Follow the steps in below link. Filed name in both names.csv and index=datalog should be same.
[https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationto...]
3. Use the lookup file and create a query as mentioned below.

 index=datalog 
| lookup names.csv Name OUTPUTNEW   Name
| table Name _time

Give a try and let me know whether its works or not..

Thanks ..

orion44 · ‎06-10-2019

Thank you for the suggestion. Unfortunately a static lookup doesn't achieve what I want as the names in names.csv changes frequently. I just need to be able to reference variables (names) in a csv file instead of hardcoding them at search time.

mydog8it · ‎06-09-2019

Try using 'join' to pull in the values from the csv. Assuming the data has a field called 'name' as well as the csv the search would look like this:
index=datalog | join name [inputlookup names.csv] | table name _time

mydog8it · ‎06-09-2019

I think I might have misunderstood your question.... My suggestion above would pull names from a csv and look for them in the data. If you are wanting to create a csv that contains the name and _time from the data try something like this (you will need to decide on append):
index=datalog | table name _time | outputlookup append=[true or false] names.csv

Then you can use join as shown above for report generation.

orion44 · ‎06-09-2019

Thanks, I'm wanting to match strings inside a csv (on the indexer) when I perform a query for specific names (as part of a eval statement) at search time. Currently I'm hardcoding the names into the search query – however this method doesn't scale and requires updating multiple reports when names are added to the required search criteria.

Reference values in CSV versus hardcoding search query for desired results

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation