Splunk Search
Highlighted

How to take index names from a CSV file and run a stats count on the listed index names?

Communicator

I need to find various information (counts, last and first event received time, etc) on indexes listed in a CSV file. There will be a time when index names will be added and hence, I don't want to hardcode my search with index names. I want to keep them in CSV so its easy to update.

0 Karma
Highlighted

Re: How to take index names from a CSV file and run a stats count on the listed index names?

Hi,

you can use a subsearch:

[| inputlookup myindexes.csv | table index] | rest of your search

In this example, imagine there is a csv file with a column "index" and in this column you list all your indexes.
The subsearch is resolved like this

 index=index1 OR index2 ...

Splunk interprets your search like this:

index=index1 OR index=index2 ... | rest of your search

Greetings

Tom

View solution in original post

0 Karma
Highlighted

Re: How to take index names from a CSV file and run a stats count on the listed index names?

Communicator

Thanks Tom, first option worked flawlessly. Appreciate your help.

0 Karma