Solved: To include 80+ applications in SPL

rajatsinghbagga · ‎08-22-2019

Hello Everyone,

I have got the list of 80+ applications this I want to include in my SPL. Is there a way I can use CSV lookup to do that? The applications list look like:-

APP-ID,DESCRIPTION
A1*,test app 1
B2*,test app 2
C3*,test app 3
D4*,test app 4
...

Sample SPL I would like to create to include these applications:-

index=app-data  APP-ID=A1* OR APP-ID=B2* OR APP-ID=C3* OR APP-ID=D4*.... |

I am not using the DESCRIPTION as mentioned in the sample CSV above at this stage. I am just trying to figure out if there is a way to look up these applications from a CSV file rather then having to type these in the SPL or if there is any other alternative please suggest.

Thank you,
Rajat

KailA · ‎08-22-2019

Hello,

If you already have the csv as a lookup, it's perfect.
You can do something like that in your SPL :

index=app-data [|inputlookup yourLookup | fields APP-ID]

It should work for you.

Kail

View solution in original post

KailA · ‎08-22-2019

Hello,

If you already have the csv as a lookup, it's perfect.
You can do something like that in your SPL :

index=app-data [|inputlookup yourLookup | fields APP-ID]

It should work for you.

Kail

To include 80+ applications in SPL

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation