Splunk Enterprise Security

Not sure how to go about my search


sorry I am fairly new to Splunk and not sure how to go about getting my search to work so I apologize if I am using the wrong terms.

I have imported a csv file, what I want to accomplish is in imported csv file I have a field that I want to match with another search
so if any other log matches with the csv field I want it to show me what matched

I was thinking something like

index=bob sourcetype=scanner
| join type=inner [| lookup csvfile]
| table myresults

0 Karma

index=bob sourcetype=scanner [ |inputlookup csvfile | table field1]
|table myresults

Should do the trick. This is basically saying | search IN fieldList, or a typical IN clause in other languages. There are a bunch of other ways to do this if you're later in your search, but for the initial search clause this is a good option.

0 Karma