Splunk Search

Loop through single column list in Inputlookup csv and check if column values are found across multiple index events

dk777
New Member

Hello. I have an input lookup csv file with a single column named “Domain” that has a list of domain names in that column. I would like to loop through all those domain names and check if there are any events (from multiple indexes where I don’t want to worry about finding what Splunk field matches to “domain”) that include any of the domain names from my inputlookup csv. How would I build this search? 

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

To clarify, you have a list of domain names in a field called "Domain" that you want to match against any field that contains the same text?  If so, try this.  It's not terribly efficient and could produce false positive, but it's a start.

index IN (foo bar baz) [ | inputlookup mylookupfile.csv | return 1000 $Domain ]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...