Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

search keywords from .csv file

bagarwal
Path Finder
‎01-05-2017 12:14 AM

Hi All,

I want to run a query that search keywords from the .csv file . I have created lookup file and lookup definitions and can see see value present in .csv file after running |inputlookup abc.csv

Now, suppose earlier I want to run query like this
" index = <> keyword1 keyword2 | table name1, name2

want to use .csv file to search for keywords ( as there are many) and display the result in tabular format

Thanks in advance.

Regards,
Binay Agarwal

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2017 12:40 AM

Hi bagarwal,
to search keywords from a lookup you have to do this:

index=your_index [| inputlookup your_lookup | rename keyword AS query | fields query ] | table ....

The only problem is that it's very difficult to insert in a field the found keyword.
If you want this see this answer I received https://answers.splunk.com/answers/479831/how-to-search-for-a-pair-of-substrings-in-a-subsea.html.
Bye.
Giuseppe

0 Karma
Reply

bagarwal
Path Finder
‎01-05-2017 01:04 AM

Hi Giuseppe,

Thanks for response. The link you have given is no longer available. 😞

In the query
index=your_index [| inputlookup your_lookup | rename keyword AS query | fields query ] | table ....

didn't understand much the below part

rename keyword AS query | fields query ] . Does it mean all the keywords need to be write in rename ..
or any other better way we can present

Once again, thank you so much for the response.

Regards,
Binay Agarwal

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2017 01:37 AM

if you run a subsearch you use the fields result of the secondary search in the primary (e.g. index=... [ | index=... | dedup my_field | table my_field] means that you use all the values of the field my_field to search only in the my_field field that must be present in the primary search).
Renaming a field AS "query" or "SEARCH" and passing them to the primary search you don't search for the pair field=value but you run a full text search having in OR all the keywords of your lookup.
see https://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Changetheformatofsubsearchresults#The_sear...
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...