- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Ho to get search input from csv file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having a csv file which contains some production server jobs name to monitor. I want to give those jobs listed in the file as a search string input to the splunk.
Is there any way to achieve it?
I cant put the Jobs in search as JOB1 OR JOB2 OR JOB3 OR and so on. But the job list is more than 60, so i am looking for a way to give all those job names as search input directly. Please let me know which command i need to use for this purpose.
Thanks in Advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kwip,
You have to do the following steps:
- create a lookup (e.g. jobs.csv), I suggest to use Lookup Editor App, it's usefule to use as lookup column name the same name of the field in your logs (e.g. (job");
- create a lookup definition [Settings -- Lookups -- Lookup Definitions] related to the new lookup;
- use lookup to filter your searches.
the search is something like this:
Your_search [ | inputlookup jobs.csv | fields job ]
| ....
If you want to monitor the presence of logs for all lookup values, your search will be something like this:
Your_search
| stats count by job
| append [ | inputlookup jobs.csv | eval count=0| fields job count ]
| stats sum(count) AS Total by job
In this way:
- Total=0 for one or more jobs means that there aren't logs for these jobs (you could also trigger an alert for this);
- Total>0 means that there are logs for that job.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kwip,
You have to do the following steps:
- create a lookup (e.g. jobs.csv), I suggest to use Lookup Editor App, it's usefule to use as lookup column name the same name of the field in your logs (e.g. (job");
- create a lookup definition [Settings -- Lookups -- Lookup Definitions] related to the new lookup;
- use lookup to filter your searches.
the search is something like this:
Your_search [ | inputlookup jobs.csv | fields job ]
| ....
If you want to monitor the presence of logs for all lookup values, your search will be something like this:
Your_search
| stats count by job
| append [ | inputlookup jobs.csv | eval count=0| fields job count ]
| stats sum(count) AS Total by job
In this way:
- Total=0 for one or more jobs means that there aren't logs for these jobs (you could also trigger an alert for this);
- Total>0 means that there are logs for that job.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally I prefer to use table rather than fields here, because it ensures there will be no odd internal fields that I don't know about. For inputlookup or inputcsv it might not happen, but we often use the same formula for all kinds of searches that make data, so a habit of using table will pay off in the long run.
Your_search [ | inputlookup jobs.csv | table job ]
| ....
Kwip - the above command works because the subsearch in the braces [] is implicitly processed by the format command into a string that looks like "( ( job=JOB1 ) OR ( job=JOB2 ) OR ( job=JOB3 ) OR... )", just as if format was explicitly called like this...
Your_search [ | inputlookup jobs.csv | table job | format ]
| ....
For more details on how it works, see the format command. http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!!! It works
Build Scalable Security While Moving to Cloud - Guide From Clayton Homes
Mission Control | Explore the latest release of Splunk Mission Control (2.3)
Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7
