Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk search using CSV file data as input

psalibindla9524
New Member
‎08-14-2016 10:37 PM

I would like to search

index=main type=router OR type=switch OR type=firewall OR type=sysproxy ..

Instead i wanna do as below
test.csv
devicetype
router
switch
firewall
sysproxy
webproxy

index=main |search [|inputlookup test.csv |feilds devicetype]

It does not return the output. Can you please help how to get the results.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-15-2016 05:18 AM

In you first search example, the field name appears to be type whereas in the .csv field, field name is devicetype For your subsearch to work, the two needs to be the same. So you could either rename the field in the .csv by editing it, or you could try your search like this

index=main |search [|inputlookup test.csv |rename devicetype AS type | fields type]

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-15-2016 05:18 AM

In you first search example, the field name appears to be type whereas in the .csv field, field name is devicetype For your subsearch to work, the two needs to be the same. So you could either rename the field in the .csv by editing it, or you could try your search like this

index=main |search [|inputlookup test.csv |rename devicetype AS type | fields type]
Reply
Solved! Jump to solution

echalex
Builder
‎08-15-2016 05:43 AM

Since sundareshr was first to answer (in a comment), I'm demoting my answer to a comment. The solution is indeed correct, but you can shorten it a bit:

index=main [|inputlookup test.csv |rename devicetype AS type | fields type]

(oh, and I had a typo in my answer... Fixed now.)

0 Karma
Reply
Solved! Jump to solution

tjrhodeback
New Member
‎06-14-2017 07:39 AM

There is also a typo "|feilds devicetype]"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

.conf26 Registration is Live: Secure Your Early Bird Pass Now

  Lock in Your Spot: Registration Open for .conf26 in Denver Hello Splunkers, I have exciting news! Your ...

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...