Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to lookup against multiple columns in CSV file?

neerajs_81
Builder
‎03-04-2022 04:41 AM

Hello All,
how can we search against 2 columns of a CSV lookup file and if the value of the field that i am searching for happens to be either of the 2 columns, then exclude those results ? Kind of a whitelist.

Lets say i have a csv table of 2 columns as follows

URLs UA
   
   


i am searching against my firewall logs and if the url field in the events matches  against URLs column of the table  OR the user_agent field from events matches the UA column of the table, then exclude those events
This is what i have come up with but its not working...

 

 

index= firewall 
NOT [ | inputlookup  lookup_file.csv | rename url as  URLs | fields url] OR NOT [ |inputlookup lookup_file.csv | rename user_agent as UA | fields user_agent] 
.......

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-04-2022 05:02 AM

Try AND instead of OR

index= firewall 
NOT [ | inputlookup  lookup_file.csv | rename url as  URLs | fields url] AND NOT [ |inputlookup lookup_file.csv | rename user_agent as UA | fields user_agent] 
.......

View solution in original post

Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-06-2022 08:01 PM

Thanks a lot. Is there other way to merge checking against multiple columns in one input lookup command  given that its referencing the same csv file ?
Right now as you can see we are calling | inputlookup twice for the same csv .  Any way to consolidate into one ? 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-06-2022 10:15 PM

You could try to somehow transform the inputlookup results in order to split it and form a single usable subsearch but unless it's a huge set, there's no much point.

I don't like subsearches as such but sometimes they are unavoidable. And in your case the subsearches seem to be fairly quick. And remember that they are evaluated before the main search so you don't have to evaluate those inputlookups separately for each main search result line.

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-04-2022 05:02 AM

Try AND instead of OR

index= firewall 
NOT [ | inputlookup  lookup_file.csv | rename url as  URLs | fields url] AND NOT [ |inputlookup lookup_file.csv | rename user_agent as UA | fields user_agent] 
.......
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top