Splunk Search

lookup/inputlookup from csv

barneser
Engager

Hey,

Im trying to search splunk indexes, for the content within a CSV.

The CSV will eith contain ip addresses or urls and has no headers. In the case i have called it Test_www.csv

I have tried a few things i have found online with no luck.
index = * [| inputlookup CTI_Test_www.csv ]

The aim would be that on an adhoc basis, i will upload the csv and see if we have had any hits on the domains or ip's previously.

Thanks for your help.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @barneser,
when you load a csv in a lookup you always have to insert an header with field names, if not, you'll have as field names: field1, field2, ...
Anyway, if in your logs you already extracted a field for e.g. IP (e.g. using a regex) called IP, you can run a search like this (if the lookup field containing the IP is field1):

index = * [ | inputlookup CTI_Test_www.csv | rename field1 AS IP | fields IP ]
| ...

If instead you didn't extract fields from your logs, you can use something like this, that runs a full text search:

index = * [ | inputlookup CTI_Test_www.csv | rename field1 AS query | fields query ]
| ...

Ciao.
Giuseppe

0 Karma

barneser
Engager

Hi Giuseppe,
thanks for your reply.

I have recreated the csv, added the field name "ip_lookup" , put google.com as the value and ran the below search.

index = * [|inputlookup Test_www.csv |fields ip_lookup]

Unfortunatly no hits, but if i just search for index = * google.com i get multiple hits.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @barneser,
As I said, the fieldname that you use in lookup (ip_lookup) must be already extracted in your logs and must have the same name, otherwise you cannot use this search.
In other words, if in your logs there's a field called "ip", you have to rename the field in the lookup

index = * [|inputlookup Test_www.csv |rename ip_lookup AS ip | fields ip ]
| ...

If there isn't any field in your logs you have to use the second search I hinted:

index = * [ | inputlookup CTI_Test_www.csv | rename ip_lookup AS query | fields query ]
 | ...

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...