Join the Conversation
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: Search text list from inputlookup ignore quate...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have some trouble with search from csv list.
If in column is two words divided with space, searching done separately for both
Example:
sourcetype="WinEventLog:Security" ("Domain Admins") - gives correct result
litsearch (index=* sourcetype="WinEventLog:Security" "Domain Admins") | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
if i try to do like this with list
sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
normalizedSearch litsearch (index=* sourcetype="WinEventLog:Security" ((Domain Admins) OR (Domain Users))) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
group_list.csv
group_name
Domain Admins
Domain Users
this search return result where is domain , users, admin found, but not "Domain Admins".
Tried adding quotes and delimiters, but this do not help
nr,group_name,desc
1,"Domain Admins",super
2,Domain Users,standard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
and quates are in search
normalizedSearch litsearch (index= sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
only one moment that search is going long, but for start it is OK.
Thank you for advice!
Final search looks:
index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
CSV
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
sourcetype="WinEventLog:Security" [| inputlookup group_list.csv | eval group_name="\"".group_name."\""
return 10 $group_name]
OR
sourcetype="WinEventLog:Security" [| inputlookup group_list.csv | head 10 | table group_name | rename group_name as search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- return Error in 'eval' command: The expression is malformed.
- return only first row in search, but is very fast
Thanks for advice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
and quates are in search
normalizedSearch litsearch (index= sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
only one moment that search is going long, but for start it is OK.
Thank you for advice!
Final search looks:
index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
CSV
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
Let me know what output you are receiving?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You show me tip. I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
and quates are in search
normalizedSearch litsearch (index=* sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
only one moment that search is going long, but for start it is OK.
Thank you for advice!
Final search looks:
index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
CSV
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use 101010 (code sample) to post search or code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can try ('Domain Admins' OR 'Domain Users')?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This option does not help, search return no hits.
litsearch (index=* sourcetype="WinEventLog:Security" (('Domain Admins') OR ('Domain Users'))) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
I think it perform 'Domain AND Admin' search not "Domain Admin"
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
