- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Query to search for huge set of URLs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have close to 2000 URLs I want to search in one source. Is it possible to do it in one query by using lookup and what is the query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to add those URLs in a csv file, say filterurl.csv with header as url, and add filterurl.csv as lookup table file in Splunk. Now try this,
if your data from that source has a field called url (same name as in lookup table) based on which you want to filter:
index=yourindex sourcetype=yoursourcetype source=yoursource [| inputlookup filterurl.csv | table url ]
if your data from that source has a field called myurl (different name as in lookup table) based on which you want to filter:
index=yourindex sourcetype=yoursourcetype source=yoursource [| inputlookup filterurl.csv | table url | rename url as myurl]
if your data doesn't have the field extracted and you want to do text based filter
index=yourindex sourcetype=yoursourcetype source=yoursource [| inputlookup filterurl.csv | table url | rename url as search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somesoni2's answer is correct to what is technically possible.
The caution required is that, if you have a set of 2000 URLs that you are going to be searching for, though your entire source, then unless that is an indexed field, that search is likely to take slightly less than forever. Be sure to test with a lookup table of, say, 50 URLs across a limited time period where you know at least a few events should be, before submitting a search that might suck enough power to dim the lights.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to add those URLs in a csv file, say filterurl.csv with header as url, and add filterurl.csv as lookup table file in Splunk. Now try this,
if your data from that source has a field called url (same name as in lookup table) based on which you want to filter:
index=yourindex sourcetype=yoursourcetype source=yoursource [| inputlookup filterurl.csv | table url ]
if your data from that source has a field called myurl (different name as in lookup table) based on which you want to filter:
index=yourindex sourcetype=yoursourcetype source=yoursource [| inputlookup filterurl.csv | table url | rename url as myurl]
if your data doesn't have the field extracted and you want to do text based filter
index=yourindex sourcetype=yoursourcetype source=yoursource [| inputlookup filterurl.csv | table url | rename url as search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was awesome. It worked. I am doing it in chunk of 500 and it is working.
Really appreciate the help always provided on the forum.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since that worked, could you please Accept somesoni2's answer? That will help future searchers find this easier and better!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
