Hey,
Im trying to search splunk indexes, for the content within a CSV.
The CSV will eith contain ip addresses or urls and has no headers. In the case i have called it Test_www.csv
I have tried a few things i have found online with no luck.
index = * [| inputlookup CTI_Test_www.csv ]
The aim would be that on an adhoc basis, i will upload the csv and see if we have had any hits on the domains or ip's previously.
Thanks for your help.
Hi @barneser,
when you load a csv in a lookup you always have to insert an header with field names, if not, you'll have as field names: field1, field2, ...
Anyway, if in your logs you already extracted a field for e.g. IP (e.g. using a regex) called IP, you can run a search like this (if the lookup field containing the IP is field1):
index = * [ | inputlookup CTI_Test_www.csv | rename field1 AS IP | fields IP ]
| ...
If instead you didn't extract fields from your logs, you can use something like this, that runs a full text search:
index = * [ | inputlookup CTI_Test_www.csv | rename field1 AS query | fields query ]
| ...
Ciao.
Giuseppe
Hi Giuseppe,
thanks for your reply.
I have recreated the csv, added the field name "ip_lookup" , put google.com as the value and ran the below search.
index = * [|inputlookup Test_www.csv |fields ip_lookup]
Unfortunatly no hits, but if i just search for index = * google.com i get multiple hits.
Hi @barneser,
As I said, the fieldname that you use in lookup (ip_lookup) must be already extracted in your logs and must have the same name, otherwise you cannot use this search.
In other words, if in your logs there's a field called "ip", you have to rename the field in the lookup
index = * [|inputlookup Test_www.csv |rename ip_lookup AS ip | fields ip ]
| ...
If there isn't any field in your logs you have to use the second search I hinted:
index = * [ | inputlookup CTI_Test_www.csv | rename ip_lookup AS query | fields query ]
| ...
Ciao.
Giuseppe