Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk search csv number

Crotyo
Observer
‎11-26-2024 02:26 AM

I have a csv file like this that contain more than 100 numbers

 

11111111

22222222

33333333

 

I want to search for events that contain these number.

I can use index=* "11111111" OR "22222222" 

but it take way to long. Is there a faster way?

these number does not have a seperate fields or am i searching in any fields. im just searching for any event log that contain these number. Can anyone help? Thanks.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-26-2024 05:05 AM

Assuming your csv is called numbers.csv and the field if called number, try something like this

index=* [| inputlookup numbers.csv | rename number as search | table search]
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2024 11:55 PM

Close. But not complete.

 

index=* [| inputlookup numbers.csv | rename number as search | table search | format ]

Without the final format command Splunk will use only first row of the subsearch results as a condition. So it will only look for the first value from the lookup.

 

Reply

Crotyo
Observer
‎11-26-2024 06:58 AM

I did try that and the search result return empty.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2024 03:16 AM

Whether it takes long to search it depends on your data. If these are really long and fairly unique terms, they can be (relatively) quickly searchable provided that you're looking strictly for those terms, not some wildcarded variations (especially with wildcard not at the end of the search term).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-26-2024 02:36 AM

Hi @Crotyo ,

you should put the csv file in a lookup (called e.g. "my_lookup.csv", containing at least one field (e.g. "my_field") and then run a search like the following:

index=* [ | inputlookup my_lookup.csv | rename my_field AS query | fields query ]
| ...

in this way you perform a search in full text search mode on all the events.

Ciao.

Giuseppe

0 Karma
Reply

Crotyo
Observer
‎11-26-2024 07:05 AM

I tried that and the search return empty. I tried checking the inputlookup command and it did list all the numbers.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-26-2024 07:15 AM

Hi @Crotyo ,

could you share your search?

Ciao.

Giuseppe

0 Karma
Reply

Crotyo
Observer
‎11-26-2024 05:59 PM

Here's picture of my csv files and search result. It only display the result for the first number. When I search using OR, it does display correctly

CSV.PNG

 

 

 

Number.PNGSearch.PNG

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-26-2024 11:19 PM

Hi @Crotyo ,

I see from your screenshot that you have results, so what's the issue?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...