Re: csvfile search in values

shrinivaskittur · ‎01-11-2022

Hi,

I have csv file containing emailID and domain and I would like to search the email exchanges between these two(emaild and domain)

Csv file looks like below

emailID domain

test1@company.com abc.com

test2@company.com xyz.com

test3@company.com some.com

so on ..........

based on the above I need to check how many time the emails exchanged between emailID and domain, I tried with below query but unable to get the result

richgalloway · ‎01-11-2022

The current query looks for two literal strings in the Sender and Rcpt fields, which explains why you don't get the expected results. See if this helps.

your search.... [| inputlookup test.csv 
  | eval domain= "*@.".domain
  | fields email domain | rename email as Sender, domain as Rcpt | format ] 
| table Sender Rcpt

---
If this reply helps you, Karma would be appreciated.

shrinivaskittur · ‎01-12-2022

Hi,

Please help me to get the correct query for my search.

shrinivaskittur · ‎01-11-2022

Thank you for your reply, the suggested query is not giving me any outputs. If I select any one field I get one side result but when I select both fields "| fields email domain" then I won't get any result.

I want to achieve if any "EmailID" (listed in CSV) sends an email to any of the "domain"(listed in CSV) and vice versa should be shown in the search result.

ITWhisperer · ‎01-11-2022

your search.... [| inputlookup test.csv 
  | eval domain= "*@.".domain
  | fields domain | rename domain as Rcpt | format ] 
  [| inputlookup test.csv 
  | fields email | rename email as Sender | format ] 
| table Sender Rcpt

shrinivaskittur · ‎01-11-2022

No Output from this query

ITWhisperer · ‎01-12-2022

Sorry, there was a typo - try this

your search.... [| inputlookup test.csv 
  | eval domain= "*@".domain
  | fields domain | rename domain as Rcpt | format ] 
  [| inputlookup test.csv 
  | fields email | rename email as Sender | format ] 
| table Sender Rcpt

shrinivaskittur · ‎01-16-2022

Hi,

Still the same, result is blank.

ITWhisperer · ‎01-16-2022

Perhaps there is a mismatch between your indexed data and your csv file, for example, space padding, case, etc. Have you tried using one of the values from the csv to see if you get any results

your search ... domain="*@abc.com"

shrinivaskittur · ‎01-16-2022

Hi,

I have already did this testing, I have taken sender and recipient from the recent logs and did the search using the same query but still not getting the result.

As said, I need both fields from csv to be matched in search (sender and recipient) for example.

if sender A sends email to recipient B and also if recipient B replies emails to sender B, in both case I should get the result . sender A & B are in csv should match.

ITWhisperer · ‎01-17-2022

Can you share your full search and some anonymised sample events?

csvfile search in values

lookup

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

csvfile search in values

lookup

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk