use lookup file content in splunk search

sowmya_prasanna · ‎03-22-2021

Hello Team,

I have a list of search names saved in csv format and resides in splunk as look up file(222 saved search names).
I want to see number of times that saved search triggered alert in a day for 1 week.
the search query I am using for the same is as follows "index=_internal sourcetype=scheduler alert_actions="*email*" status=success savedsearch_name=* " |timechart span=1d count by savedsearch_name

instead of * in the above query for the filed savedsearch_name I want to use the saved search name from lookup table (csv file) and get the result for each saved search present there.

could you please let me know how can I do that ?

Funderburg78 · ‎03-30-2021

I assume you are using a saved search to generate the csv file for the listed example. If so, go into $Splunk_Home/etc/apps/Search/local/savedsearches.conf and find the name of the search you are using to generate the csv. If you are using a cutom app, replace "Search" with the name of your App!

-Good Luck, Replay if you have questions 🙂

manjunathmeti · ‎03-22-2021

hi @sowmya_prasanna,
Try this. The column name in CSV file should be savedsearch_name

index=_internal sourcetype=scheduler alert_actions="*email*" status=success | append [| inputlookup csvfilename.csv] | timechart span=1d count(status) as count by savedsearch_name

If this reply helps you, an upvote/like would be appreciated.

use lookup file content in splunk search

lookup

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life