Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup - Filter a search with lookup content

NunnuN
Engager
‎09-06-2023 07:03 AM

Greetings.

I am quite new to Splunk and read a lot of sources.

However, I have a hard time to find my answer about the join and eval functions.

I have a first search on an index. I want to filter this search with values of one field in a csv I import as lookup.

Example:

index="data" sourcetype="entities" | table EMAIL EXTERNAL_EMAIL CATEGORY

And I have the inputlookup

 inputlookup 20230904_NeverLoggedIn.csv

How do I compare the field EXTERNAL_EMAIL from the index to the E_MAIL field in the csv file as a filter?

Many thanks for the help.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 07:21 AM

Hi @NunnuN,

let me understand: do you want to take only the E_MAILs in the index that match with the lookup or what else?

if you want the matching E-MAILs, you have to use a subsearch like the following:

index="data" sourcetype="entities" [ | inputlookup 20230904_NeverLoggedIn.csv | rename E_MAIL  AS EXTERNAL_EMAIL | fields EXTERNAL_EMAIL ]
| table EXTERNAL_EMAIL CATEGORY

 Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2023 03:47 PM

As @gcusello points out you can do this with a subsearch/inputlookup to the outer search or you can do it with a lookup + where clause - try both and use the one that gives you the best performance

index="data" sourcetype="entities" 
``` This will lookup the EXTERNAL_EMAIL field in the data against the E_MAIL
    field in the CSV ```
| lookup 20230904_NeverLoggedIn.csv E_MAIL as EXTERNAL_EMAIL OUTPUT E_MAIL as Found
``` If the EXTERNAL_EMAIL is Found in this case, it will give you the result
    Changed to isnull(Found) to find users that do NOT exist in the CSV ```
| where isnotnull(Found)
| table EMAIL EXTERNAL_EMAIL CATEGORY
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 07:21 AM

Hi @NunnuN,

let me understand: do you want to take only the E_MAILs in the index that match with the lookup or what else?

if you want the matching E-MAILs, you have to use a subsearch like the following:

index="data" sourcetype="entities" [ | inputlookup 20230904_NeverLoggedIn.csv | rename E_MAIL  AS EXTERNAL_EMAIL | fields EXTERNAL_EMAIL ]
| table EXTERNAL_EMAIL CATEGORY

 Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top