Splunk Search

How to generate a search to compare the value of a field with a CSV table?

soesia12
New Member

Hello!

I'm currently trying to compare the value of a field with a csv table.

I want to compare the destination port (dst_port) with the values of pwhitelist.csv and display the ports that are not included in the csv data.

For example: the csv file consists of the ports 80, 8080, 443 and 8000 want to display all dst_ports that are not 80, 8080, 443 or 8000.

Thanks

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust
yourBaseSearch NOT [|inputlookup pwhitelist.csv | fields Ports | rename Ports AS dst_port | format]

View solution in original post

jkat54
SplunkTrust
SplunkTrust
yourBaseSearch NOT [|inputlookup pwhitelist.csv | fields Ports | rename Ports AS dst_port | format]

soesia12
New Member

Hey!

Doesn't work. It just lists all ports.

In the file there are just a few ports. At the moments it's just for testing.
pwhitelist.csv:

In the file is only one column with the header "Ports".
The values 80,443,8000,8080 are in that column.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I edited my answer, please try the new version. If dst_port isn't the field name in your index, then change it to the field name you have for the ports in your indexed data.

0 Karma

soesia12
New Member

thanks so much ! it worked

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...