Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Searching each line of a file against a splunk ind...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, I have a file lets say eachline.txt and I would like to search each line within the file against a index.
Ex:
192.168.3.0
192.168.40.25
Did some reading and it appears I need to use the inputlookup command to do this? Can someone confirm if this is true and does the file need to be a csv?
My thought would I would do something like index=someindex | inputlookup eachline.txt and it would search the index in question?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, but it doesn't work like that..
There is a tutorial here on lookups: http://docs.splunk.com/Documentation/Splunk/4.3.2/User/Fieldlookupstutorial
Note that you do NOT want to set up the automatic lookup.
What you want to do is a little different than the usual application. But here is how it could work:
index="myindex" [ inputlookup yourlookupname | fields ipAddress ]
This assumes that the data is in a csv file, with a header line. And that the header for the IP address field is "ipAddress" and that ipAddress is also the field name in your index.
Each time that you want to change the list of files to search, you would need to take a minute and upload a new CSV file for the lookup.
Very important: the subsearch (within the brackets) has some limitations:
By default, the number of items returned from the subsearch is limited to 100. You can up this maximum, but the absolute maximum is 10500. To up the limit to the max:
index="myindex" [ inputlookup yourlookupname | fields ipAddress | format maxresults = 10500 ]
If your "eachline.txt" file could be more than 10500 lines long, post back and I'll propose a different solution...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, but it doesn't work like that..
There is a tutorial here on lookups: http://docs.splunk.com/Documentation/Splunk/4.3.2/User/Fieldlookupstutorial
Note that you do NOT want to set up the automatic lookup.
What you want to do is a little different than the usual application. But here is how it could work:
index="myindex" [ inputlookup yourlookupname | fields ipAddress ]
This assumes that the data is in a csv file, with a header line. And that the header for the IP address field is "ipAddress" and that ipAddress is also the field name in your index.
Each time that you want to change the list of files to search, you would need to take a minute and upload a new CSV file for the lookup.
Very important: the subsearch (within the brackets) has some limitations:
By default, the number of items returned from the subsearch is limited to 100. You can up this maximum, but the absolute maximum is 10500. To up the limit to the max:
index="myindex" [ inputlookup yourlookupname | fields ipAddress | format maxresults = 10500 ]
If your "eachline.txt" file could be more than 10500 lines long, post back and I'll propose a different solution...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks lguinn, will give it a shot.
Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...
Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
