How to refer to a lookup CSV file I just uploaded ...

jackywsy · ‎08-18-2015

Hi Everyone,

I have uploaded a CSV file to the lookup table. Only one column of data is in the list. for e.g. I put some web links into the list,

*.baidu.com
*.sina.com.cn
*.sohu.com
.....

How do I write a search to refer to the CSV file? Do I have put the info into a transforms.conf file?

I want to run a search like:

index=* sourcetype=websence http_method=post NOT  {(*THE CSV FILE OF THE WEBSITE LINKS*)"} ..... | stats ...

Please help...

woodcock · ‎08-19-2015

Like this:

index=* sourcetype=websence http_method=post NOT [inputcsv YouCSVFile | rename InsideCSVFieldName AS EventDataFieldName] ..... | stats ...

sduff_splunk · ‎08-19-2015

Firstly, refer to http://answers.splunk.com/answers/52580/can-we-use-wild-characters-in-lookup-table.html about setting up a lookup with wildcards. You may also want to add an additional field to the lookup file (maybe call it 'in_lookup').

Then you will want to do the following search...

index=* sourcetype=websence http_method=post | lookup weblink_lookup | where NOT in_lookup="*"

How to refer to a lookup CSV file I just uploaded in a search?