Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to lookup against multiple columns in CSV file?

neerajs_81
Builder
‎03-04-2022 04:41 AM

Hello All,
how can we search against 2 columns of a CSV lookup file and if the value of the field that i am searching for happens to be either of the 2 columns, then exclude those results ? Kind of a whitelist.

Lets say i have a csv table of 2 columns as follows

URLs UA
   
   


i am searching against my firewall logs and if the url field in the events matches  against URLs column of the table  OR the user_agent field from events matches the UA column of the table, then exclude those events
This is what i have come up with but its not working...

 

 

index= firewall 
NOT [ | inputlookup  lookup_file.csv | rename url as  URLs | fields url] OR NOT [ |inputlookup lookup_file.csv | rename user_agent as UA | fields user_agent] 
.......

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-04-2022 05:02 AM

Try AND instead of OR

index= firewall 
NOT [ | inputlookup  lookup_file.csv | rename url as  URLs | fields url] AND NOT [ |inputlookup lookup_file.csv | rename user_agent as UA | fields user_agent] 
.......

View solution in original post

Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-06-2022 08:01 PM

Thanks a lot. Is there other way to merge checking against multiple columns in one input lookup command  given that its referencing the same csv file ?
Right now as you can see we are calling | inputlookup twice for the same csv .  Any way to consolidate into one ? 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-06-2022 10:15 PM

You could try to somehow transform the inputlookup results in order to split it and form a single usable subsearch but unless it's a huge set, there's no much point.

I don't like subsearches as such but sometimes they are unavoidable. And in your case the subsearches seem to be fairly quick. And remember that they are evaluated before the main search so you don't have to evaluate those inputlookups separately for each main search result line.

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-04-2022 05:02 AM

Try AND instead of OR

index= firewall 
NOT [ | inputlookup  lookup_file.csv | rename url as  URLs | fields url] AND NOT [ |inputlookup lookup_file.csv | rename user_agent as UA | fields user_agent] 
.......
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...