Getting Data In

pull search terms from a single column csv file (for scheduled reports / dashboard)

Path Finder

I have several search queries that i then save as reports (and schedule them), they ultimately are displayed on a dashboard (some are displayed on wall monitors).

Once seeing these dashboards Quite often, i have to come back and modify the query to remove some data.

So i was hoping i could add these terms into a single column CSV file (with 1 single header), and just add new terms, and re-upload the CSV file when i need to update the query. (but i cant figure out how to do this) Example:

original query:

index=fwonly ATkc NOT src_ip="" | search asn!=Bob asn!=frank asn!=joe

What im hoping for/asking:

index=fwonly ATkc NOT src_ip="" | search asn!=LIST.csv

Im hoping, as needed i can just reupload a new LIST.csv file that contains:

and since its the LIST.csv being referenced, all my scheduled reports using LIST.csv will be updated.

I think what i want is to add/upload a lookup table file, create a CSV lookup definition (set permissions on both) and then cite/use that defined lookup table in my search query. But i havent been able to make much headway on this. These are the threads / docs ive been following or tried so far-

(any help is appreciated, or please do tell if this usecase is not something i should be hoping to do easily with splunk) thanks!

0 Karma
1 Solution


Have you tried index=fwonly ATkc NOT src_ip="" NOT [ | inputlookup LIST.csv | fields asn | format ]?

If this reply helps you, Karma would be appreciated.

View solution in original post


Have you tried index=fwonly ATkc NOT src_ip="" NOT [ | inputlookup LIST.csv | fields asn | format ]?

If this reply helps you, Karma would be appreciated.

Path Finder

awesome! thanks so much, that did work!

for any others in the future, all i had to do was upload the csv file, create a lookup definition, (after which you should then see the Supported fields column update w the header from your csv file, in my case just 1x header/column). then you can use richgalloway's [ | inputlookup LIST.csv | fields asn | format ] to pull queries from that csv file, which makes for easy updating in the future!)

0 Karma
Get Updates on the Splunk Community!

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

More for SLO Management We’re continuing to expand the built-in SLO management experience in Splunk ...

Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Index This | What gets bigger the more you remove?

June 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...