Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup - Filter a search with lookup content

NunnuN
Engager
‎09-06-2023 07:03 AM

Greetings.

I am quite new to Splunk and read a lot of sources.

However, I have a hard time to find my answer about the join and eval functions.

I have a first search on an index. I want to filter this search with values of one field in a csv I import as lookup.

Example:

index="data" sourcetype="entities" | table EMAIL EXTERNAL_EMAIL CATEGORY

And I have the inputlookup

 inputlookup 20230904_NeverLoggedIn.csv

How do I compare the field EXTERNAL_EMAIL from the index to the E_MAIL field in the csv file as a filter?

Many thanks for the help.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 07:21 AM

Hi @NunnuN,

let me understand: do you want to take only the E_MAILs in the index that match with the lookup or what else?

if you want the matching E-MAILs, you have to use a subsearch like the following:

index="data" sourcetype="entities" [ | inputlookup 20230904_NeverLoggedIn.csv | rename E_MAIL  AS EXTERNAL_EMAIL | fields EXTERNAL_EMAIL ]
| table EXTERNAL_EMAIL CATEGORY

 Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2023 03:47 PM

As @gcusello points out you can do this with a subsearch/inputlookup to the outer search or you can do it with a lookup + where clause - try both and use the one that gives you the best performance

index="data" sourcetype="entities" 
``` This will lookup the EXTERNAL_EMAIL field in the data against the E_MAIL
    field in the CSV ```
| lookup 20230904_NeverLoggedIn.csv E_MAIL as EXTERNAL_EMAIL OUTPUT E_MAIL as Found
``` If the EXTERNAL_EMAIL is Found in this case, it will give you the result
    Changed to isnull(Found) to find users that do NOT exist in the CSV ```
| where isnotnull(Found)
| table EMAIL EXTERNAL_EMAIL CATEGORY
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 07:21 AM

Hi @NunnuN,

let me understand: do you want to take only the E_MAILs in the index that match with the lookup or what else?

if you want the matching E-MAILs, you have to use a subsearch like the following:

index="data" sourcetype="entities" [ | inputlookup 20230904_NeverLoggedIn.csv | rename E_MAIL  AS EXTERNAL_EMAIL | fields EXTERNAL_EMAIL ]
| table EXTERNAL_EMAIL CATEGORY

 Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...