Search & compare value for each search result to v...

majlo333 · ‎03-20-2025

Hi,

I have a query that goes something like this:

index=myindex
| eval urgency="medium", account_name='awsMetadata.account.name'
| stats count values(account_name) as account_name, values(urgency) as urgency

I also have a CSV file which has the following columns and values

env, project_name
prod,prod_account11
dev,dev_account3
prod,prod_account55
qa,qa_account43

I wish to compare each of the results in the query above using "account_name" field with CSV file field "project_name", and if those two values match for each result, I wish to create a new field "env" in my results based on the "env" field from CSV file.

eg. if query result "prod_account55" from account_name field is found in CSV file "prod_account55" from project_name field, extract prod value from env field as a new field in the results.

gcusello · ‎03-20-2025

Hi @majlo333 ,

you should try to use the lookup command ( https://docs.splunk.com/Documentation/Splunk/9.4.1/SearchReference/Lookup 😞

index=myindex 
| eval urgency="medium", account_name='awsMetadata.account.name'
| lookup your_lookup.csv project_name AS account_name OUTPUT env 
| stats 
     values(env) AS env 
     values(urgency) as urgency 
     BY account_name

Ciao.

Giuseppe

Search & compare value for each search result to value in CSV (inputlookup or lookup)

lookup

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...