Solved: inputcsv match anywhere

reed_kelly · ‎05-07-2013

I have a list of usernames in a CSV file. I want to find any events that contain any of these usernames in _raw. I cannot guarantee that there is a field called user or affected_user for every event, so I want to match anywhere in the string. If I try the following, it only matches for the first user:

.. [ inputcsv userlist.csv |return $user ]

but this only matches on the first user in the list.

Does anyone know how I can match any of the users (words) in a list?

This should be the same whether I am using inputcsv or inputlookup.

Ayn · ‎05-07-2013

... [inputcsv userlist.csv | rename user as query | fields query]

"query" (or "search" if you prefer, has same effect) is a special field name that makes Splunk omit the 'field=value' formatting when returning from a subsearch.

View solution in original post

Ayn · ‎05-07-2013

... [inputcsv userlist.csv | rename user as query | fields query]

"query" (or "search" if you prefer, has same effect) is a special field name that makes Splunk omit the 'field=value' formatting when returning from a subsearch.

reed_kelly · ‎05-07-2013

Running 4.3.1 search head...

inputcsv match anywhere

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...