Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using Lookup csv file to query fieldname

chrismatt02
Explorer
‎10-22-2024 11:11 PM

I have a lookup file saved with a single column having values of specific fields in it. And want to use to search in query which matched with values in field names

Example:

lookupname : test.csv
column name: column1

fieldname: field1

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-23-2024 10:50 PM

See syntax help in lookup.  This is what I suggest:

| lookup column1 AS field1 test.csv output column1 as match
| where isnotnull(match)

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-23-2024 10:50 PM

See syntax help in lookup.  This is what I suggest:

| lookup column1 AS field1 test.csv output column1 as match
| where isnotnull(match)
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-23-2024 01:00 AM

This is a bit vague. Can you give an example of the type of search you are trying / wanting to do with your lookup?

0 Karma
Reply
Solved! Jump to solution

chrismatt02
Explorer
‎10-23-2024 06:20 PM

@ITWhisperer I am using lookup file with single column, multiple entries which contains filenames. I am trying to match that names with the Filename field in query to obtain results which matches the value.


0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-23-2024 12:15 AM

OK. But do you have just one column with multiple values? Or do you have multiple columns? How would your lookup contents match the data you want to search for?

0 Karma
Reply
Solved! Jump to solution

chrismatt02
Explorer
‎10-23-2024 06:21 PM

@PickleRick I am using single column multiple entries and just trying to compare values in lookup file with the logs which contains those values and output the results

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-24-2024 04:47 AM

With a relatively dense search the approach shown by @yuanliu is the most typical thing to do.

But if you expect that the search will be sparse, you might want to use the lookup by means of a subsearch to generate a set of conditions directly into your search

<your_base_search> [ | inputlookup your_lookup.csv | rename if needed ]
| <rest_of_your_search>

This might prove to be more effective if your resulting set of conditions is small and yields only a handful of events.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...