Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I display a matched value from a list.csv ?

packet_hunter
Contributor
‎01-22-2016 01:20 PM

For back ground please check the accepted answer for :
Best way to check email logs for recipients that are on a list

Scenario:
Searching for emails with a specific subject.
Need to know if any recipients are on a watch_list.csv (this has been accomplished by the following from somesoni2)
.... | lookup watch_list.csv emailaddress as recp OUTPUT flag | eval on_list=if(flag=1,"yes","no") | fields - flag ....

However, now I need the yes and the emailaddress that match the emailaddress on the watch_list.csv

Please provide an example.

Thank you

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-22-2016 01:39 PM

Just change your lookup command like this

..... | lookup watch_list.csv emailaddress as recp OUTPUT flag emailaddress | eval on_list=if(flag=1,"yes","no") | fields - flag

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-22-2016 01:39 PM

Just change your lookup command like this

..... | lookup watch_list.csv emailaddress as recp OUTPUT flag emailaddress | eval on_list=if(flag=1,"yes","no") | fields - flag
0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎01-22-2016 01:44 PM

I knew you would come thru!!!! Thanks for all the help, I was adding emailaddress after the pipe... d'oh
Thanks again

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎01-22-2016 02:06 PM

um, is there a way to arrange the columns so that on_list column comes before emailaddress?

0 Karma
Reply
Solved! Jump to solution

jluo_splunk
Splunk Employee
Splunk Employee
‎01-22-2016 01:33 PM

Are the email addresses stored in different field names? If so, try appending this to the end of your search

.. | where on_list="yes" AND  email1=email2
0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎01-22-2016 01:45 PM

Thank you, however Somesoni2's answer actually works better for me.

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎01-22-2016 01:28 PM

in other words, I want to add the emailaddress to the yes output....

eval on_list=if(flag=1, "Yes" --and the matching emailaddress

Thank you

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...