Knowledge Management

use lookup file content in splunk search

sowmya_prasanna
Observer

Hello Team,

I have a list of search names saved in csv format and resides in splunk as look up file(222 saved search names).
I want to see number of times that saved search triggered alert in a day for 1 week.
the search query I am using for the same is as follows "index=_internal sourcetype=scheduler alert_actions="*email*" status=success savedsearch_name=* " |timechart span=1d count by savedsearch_name

instead of * in the above query for the filed savedsearch_name I want to use the saved search name from lookup table (csv file) and get the result for each saved search present there.

could you please let me know how can I do that ?

Labels (1)
0 Karma

Funderburg78
Path Finder

I assume you are using a saved search to generate the csv file for the listed example.  If so, go into $Splunk_Home/etc/apps/Search/local/savedsearches.conf and find the name of the search you are using to generate the csv.  If you are using a cutom app, replace "Search" with the name of your App!

-Good Luck, Replay if you have questions 🙂

0 Karma

manjunathmeti
Champion

hi @sowmya_prasanna,
Try this. The column name in CSV file should be savedsearch_name

index=_internal sourcetype=scheduler alert_actions="*email*" status=success | append [| inputlookup csvfilename.csv] | timechart span=1d count(status) as count by savedsearch_name

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma