Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: Cross reference a field from an imported csv f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I currently have a csv file that contains a lot of CVE's; for example CVE-000-0001, CVE-000-0002, so on and so forth.
On another index, I have all of my nessus data which some contain CVE fields.
How can I search my nessus data and match only CVE fields that are present in the csv file?
Currently I'm doing CVE equals and then manually pasting in the CVE from the csv but that's getting a bit complicated to manage.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This kind of thing gives you only the records from your base search that are found in the lookup file.
your base search
| fields mykey mycvefield foo
| join mycvefield [|inputcsv mycsvfile | fields othercvefield bar baz | rename othercvefield as mycvefield]
| table mykeyfield mycvefield foo bar baz
This kind of thing gives you all the records from the base search, along with the matched fields from the lookup table, if any
your base search
| fields mykey mycvefield foo
| join type=left mycvefield [|inputcsv mycsvfile | fields othercvefield bar baz | rename othercvefield as mycvefield]
| table mykeyfield mycvefield myotherfields foo bar baz
| eval bar=if(isnotnull(bar),bar,"no bar found")
| eval baz=if(isnotnull(baz),baz,"no baz found")
For some uses you want "inputlookup", for other uses you want "inputcsv". If your search is going to be run from different search heads, then it's worth the effort to officially make the csv file to be a lookup table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This kind of thing gives you only the records from your base search that are found in the lookup file.
your base search
| fields mykey mycvefield foo
| join mycvefield [|inputcsv mycsvfile | fields othercvefield bar baz | rename othercvefield as mycvefield]
| table mykeyfield mycvefield foo bar baz
This kind of thing gives you all the records from the base search, along with the matched fields from the lookup table, if any
your base search
| fields mykey mycvefield foo
| join type=left mycvefield [|inputcsv mycsvfile | fields othercvefield bar baz | rename othercvefield as mycvefield]
| table mykeyfield mycvefield myotherfields foo bar baz
| eval bar=if(isnotnull(bar),bar,"no bar found")
| eval baz=if(isnotnull(baz),baz,"no baz found")
For some uses you want "inputlookup", for other uses you want "inputcsv". If your search is going to be run from different search heads, then it's worth the effort to officially make the csv file to be a lookup table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked like a charm. I had to do inputlookup since I imported it as a dataset but works great. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are quite welcome. Yes, there are nuance details about when to use lookup and when to use csv --- especially regarding local versus clustered --- but they are largely equivalent on the reporting side.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
