Splunk Search
Highlighted

How do you filter search results based on field-values in a lookup file?

i have unique 19 address field in a address.csv file,such as
address
/ai/rcmid/abinitio/prod/rcmln/data/mfs/mfs14way/rcm/rcmamlsrc/main/damlvisaaccount.dat
/ai/rcmid/abinitio/prod/rcmln/data/mfs/mfs14way/rcm/rcmamlsrc/main/damlalsaccount.dat
/ai/rcmid/abinitio/prod/rcmln/data/mfs/mfs14way/rcm/rcmamlsrc/main/damlimpactaccount.dat
/ai/rcmid/abinitio/prod/rcmln/data/mfs/mfs14way/rcm/rcmamlsrc/main/damlfdraccount.dat
/ai/rcmid/abinitio/prod/rcmln/data/mfs/mfs14way/rcm/rcmamlsrc/main/damlmortgageaccount.dat
/ai/rcmid/abinitio/prod/rcmln/data/mfs/mfs14way/rcm/rcmamlsrc/main/damlcompassaccount.dat
.......................

and i want to filter my base search results which have only address entries from CSV file

index=dime sourcetype=auditd [search index=dime sourcetype=auditd key=aud_sar success=yes | table msg] | transaction msg
| table node, address, auid, uid
| rename node as "Server", address as "Name"

0 Karma
Highlighted

Re: How do you filter search results based on field-values in a lookup file?

SplunkTrust
SplunkTrust

Something like this would work, assuming the address.csv file has a field called address that has the URLs you want to match.

index=dime sourcetype=auditd [search index=dime sourcetype=auditd key=aud_sar success=yes | table msg] | transaction msg
| table node, address, auid, uid
| lookup address.csv  address OUTPUT address as foundme
| where address = foundme
| rename node as "Server", address as "Name" 

View solution in original post

0 Karma