Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk search csv number

Crotyo
Observer
‎11-26-2024 02:26 AM

I have a csv file like this that contain more than 100 numbers

 

11111111

22222222

33333333

 

I want to search for events that contain these number.

I can use index=* "11111111" OR "22222222" 

but it take way to long. Is there a faster way?

these number does not have a seperate fields or am i searching in any fields. im just searching for any event log that contain these number. Can anyone help? Thanks.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-26-2024 05:05 AM

Assuming your csv is called numbers.csv and the field if called number, try something like this

index=* [| inputlookup numbers.csv | rename number as search | table search]
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2024 11:55 PM

Close. But not complete.

 

index=* [| inputlookup numbers.csv | rename number as search | table search | format ]

Without the final format command Splunk will use only first row of the subsearch results as a condition. So it will only look for the first value from the lookup.

 

Reply

Crotyo
Observer
‎11-26-2024 06:58 AM

I did try that and the search result return empty.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2024 03:16 AM

Whether it takes long to search it depends on your data. If these are really long and fairly unique terms, they can be (relatively) quickly searchable provided that you're looking strictly for those terms, not some wildcarded variations (especially with wildcard not at the end of the search term).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-26-2024 02:36 AM

Hi @Crotyo ,

you should put the csv file in a lookup (called e.g. "my_lookup.csv", containing at least one field (e.g. "my_field") and then run a search like the following:

index=* [ | inputlookup my_lookup.csv | rename my_field AS query | fields query ]
| ...

in this way you perform a search in full text search mode on all the events.

Ciao.

Giuseppe

0 Karma
Reply

Crotyo
Observer
‎11-26-2024 07:05 AM

I tried that and the search return empty. I tried checking the inputlookup command and it did list all the numbers.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-26-2024 07:15 AM

Hi @Crotyo ,

could you share your search?

Ciao.

Giuseppe

0 Karma
Reply

Crotyo
Observer
‎11-26-2024 05:59 PM

Here's picture of my csv files and search result. It only display the result for the first number. When I search using OR, it does display correctly

CSV.PNG

 

 

 

Number.PNGSearch.PNG

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-26-2024 11:19 PM

Hi @Crotyo ,

I see from your screenshot that you have results, so what's the issue?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...