- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Search text list from inputlookup ignore quates
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have some trouble with search from csv list.
If in column is two words divided with space, searching done separately for both
Example:
sourcetype="WinEventLog:Security" ("Domain Admins") - gives correct result
litsearch (index=* sourcetype="WinEventLog:Security" "Domain Admins") | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
if i try to do like this with list
sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
normalizedSearch litsearch (index=* sourcetype="WinEventLog:Security" ((Domain Admins) OR (Domain Users))) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
group_list.csv
group_name
Domain Admins
Domain Users
this search return result where is domain , users, admin found, but not "Domain Admins".
Tried adding quotes and delimiters, but this do not help
nr,group_name,desc
1,"Domain Admins",super
2,Domain Users,standard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
and quates are in search
normalizedSearch litsearch (index= sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
only one moment that search is going long, but for start it is OK.
Thank you for advice!
Final search looks:
index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
CSV
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
sourcetype="WinEventLog:Security" [| inputlookup group_list.csv | eval group_name="\"".group_name."\""
return 10 $group_name]
OR
sourcetype="WinEventLog:Security" [| inputlookup group_list.csv | head 10 | table group_name | rename group_name as search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- return Error in 'eval' command: The expression is malformed.
- return only first row in search, but is very fast
Thanks for advice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
and quates are in search
normalizedSearch litsearch (index= sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
only one moment that search is going long, but for start it is OK.
Thank you for advice!
Final search looks:
index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
CSV
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
Let me know what output you are receiving?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You show me tip. I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
and quates are in search
normalizedSearch litsearch (index=* sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))
only one moment that search is going long, but for start it is OK.
Thank you for advice!
Final search looks:
index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]
CSV
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use 101010 (code sample) to post search or code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can try ('Domain Admins' OR 'Domain Users')?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This option does not help, search return no hits.
litsearch (index=* sourcetype="WinEventLog:Security" (('Domain Admins') OR ('Domain Users'))) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
I think it perform 'Domain AND Admin' search not "Domain Admin"
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
