Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- CSV Lookup for search query
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Abdulm1
Explorer
02-12-2020
01:04 AM
I have a search query like this
index=ppt sm.to{}="12-12-518@dt.com" OR sm.to{}="050920@cp.com" |table sm.to{} sm.stat
and I want to use a csv lookup instead because I have more email address to use and I want the result to show this two fields .
My csv contains this
sm.to{}
050920@cp.com
12-12-518@dt.com
774211@PP.com
859@dat.com
20909@PP.com
07548@pp.com
Can anyone help with a lookup search query for me . thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-12-2020
01:31 AM
Try this:
index=ppt | lookup .csv sm.to{} OUTPUT sm.to{} as sm_to | search sm_to = *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-12-2020
01:31 AM
Try this:
index=ppt | lookup .csv sm.to{} OUTPUT sm.to{} as sm_to | search sm_to = *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Abdulm1
Explorer
02-12-2020
05:44 AM
am actaully using inputlookup so i used the below command but it did not work
index=proofpoint sourcetype=pps_maillog | inputlookup smto OUTPUT sm.to{} as sm_to | search sm_to = *
I tried the following as well but did not work
index=ppt
| eval Recipients='sm.to{}'
| table Recipients
| search Recipients = "*"
| join type=inner Recipients
[| inputlookup smto
| table sm.to{} sm.stat]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Abdulm1
Explorer
02-12-2020
03:22 PM
Thanks @manjunathmeti it worked perfectly.
index=ppt | lookup .csv sm.to{} OUTPUT sm.to{} as sm_to | search sm_to = * | table sm_to sm.stat
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-12-2020
05:55 AM
May be it's due to field name, rename sm.to{} to smto in csv file and search query and try.
Get Updates on the Splunk Community!
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
