Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

pull search terms from a single column csv file (for scheduled reports / dashboard)

spunk311z
Path Finder
‎01-01-2020 10:38 AM

I have several search queries that i then save as reports (and schedule them), they ultimately are displayed on a dashboard (some are displayed on wall monitors).

Once seeing these dashboards Quite often, i have to come back and modify the query to remove some data.

So i was hoping i could add these terms into a single column CSV file (with 1 single header), and just add new terms, and re-upload the CSV file when i need to update the query. (but i cant figure out how to do this) Example:

original query:

index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=Bob asn!=frank asn!=joe

What im hoping for/asking:

index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=LIST.csv

Im hoping, as needed i can just reupload a new LIST.csv file that contains:
asn
frank
joe
Bob
new_term1
new_term2

and since its the LIST.csv being referenced, all my scheduled reports using LIST.csv will be updated.

I think what i want is to add/upload a lookup table file, create a CSV lookup definition (set permissions on both) and then cite/use that defined lookup table in my search query. But i havent been able to make much headway on this. These are the threads / docs ive been following or tried so far-

https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html

https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourev...

https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html

(any help is appreciated, or please do tell if this usecase is not something i should be hoping to do easily with splunk) thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-01-2020 11:37 AM

Have you tried index=fwonly ATkc NOT src_ip="10.0.0.0/8" NOT [ | inputlookup LIST.csv | fields asn | format ]?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-01-2020 11:37 AM

Have you tried index=fwonly ATkc NOT src_ip="10.0.0.0/8" NOT [ | inputlookup LIST.csv | fields asn | format ]?

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spunk311z
Path Finder
‎01-01-2020 03:19 PM

awesome! thanks so much, that did work!

for any others in the future, all i had to do was upload the csv file, create a lookup definition, (after which you should then see the Supported fields column update w the header from your csv file, in my case just 1x header/column). then you can use richgalloway's [ | inputlookup LIST.csv | fields asn | format ] to pull queries from that csv file, which makes for easy updating in the future!)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...