Getting Data In

pull search terms from a single column csv file (for scheduled reports / dashboard)

spunk311z
Path Finder

I have several search queries that i then save as reports (and schedule them), they ultimately are displayed on a dashboard (some are displayed on wall monitors).

Once seeing these dashboards Quite often, i have to come back and modify the query to remove some data.

So i was hoping i could add these terms into a single column CSV file (with 1 single header), and just add new terms, and re-upload the CSV file when i need to update the query. (but i cant figure out how to do this) Example:

original query:

index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=Bob asn!=frank asn!=joe

What im hoping for/asking:

index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=LIST.csv

Im hoping, as needed i can just reupload a new LIST.csv file that contains:
asn
frank
joe
Bob
new_term1
new_term2

and since its the LIST.csv being referenced, all my scheduled reports using LIST.csv will be updated.

I think what i want is to add/upload a lookup table file, create a CSV lookup definition (set permissions on both) and then cite/use that defined lookup table in my search query. But i havent been able to make much headway on this. These are the threads / docs ive been following or tried so far-

https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html

https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourev...

https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html

(any help is appreciated, or please do tell if this usecase is not something i should be hoping to do easily with splunk) thanks!

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Have you tried index=fwonly ATkc NOT src_ip="10.0.0.0/8" NOT [ | inputlookup LIST.csv | fields asn | format ]?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Have you tried index=fwonly ATkc NOT src_ip="10.0.0.0/8" NOT [ | inputlookup LIST.csv | fields asn | format ]?

---
If this reply helps you, Karma would be appreciated.

spunk311z
Path Finder

awesome! thanks so much, that did work!

for any others in the future, all i had to do was upload the csv file, create a lookup definition, (after which you should then see the Supported fields column update w the header from your csv file, in my case just 1x header/column). then you can use richgalloway's [ | inputlookup LIST.csv | fields asn | format ] to pull queries from that csv file, which makes for easy updating in the future!)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...