Splunk Search

lookup/inputlookup from csv

barneser
Engager

Hey,

Im trying to search splunk indexes, for the content within a CSV.

The CSV will eith contain ip addresses or urls and has no headers. In the case i have called it Test_www.csv

I have tried a few things i have found online with no luck.
index = * [| inputlookup CTI_Test_www.csv ]

The aim would be that on an adhoc basis, i will upload the csv and see if we have had any hits on the domains or ip's previously.

Thanks for your help.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @barneser,
when you load a csv in a lookup you always have to insert an header with field names, if not, you'll have as field names: field1, field2, ...
Anyway, if in your logs you already extracted a field for e.g. IP (e.g. using a regex) called IP, you can run a search like this (if the lookup field containing the IP is field1):

index = * [ | inputlookup CTI_Test_www.csv | rename field1 AS IP | fields IP ]
| ...

If instead you didn't extract fields from your logs, you can use something like this, that runs a full text search:

index = * [ | inputlookup CTI_Test_www.csv | rename field1 AS query | fields query ]
| ...

Ciao.
Giuseppe

0 Karma

barneser
Engager

Hi Giuseppe,
thanks for your reply.

I have recreated the csv, added the field name "ip_lookup" , put google.com as the value and ran the below search.

index = * [|inputlookup Test_www.csv |fields ip_lookup]

Unfortunatly no hits, but if i just search for index = * google.com i get multiple hits.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @barneser,
As I said, the fieldname that you use in lookup (ip_lookup) must be already extracted in your logs and must have the same name, otherwise you cannot use this search.
In other words, if in your logs there's a field called "ip", you have to rename the field in the lookup

index = * [|inputlookup Test_www.csv |rename ip_lookup AS ip | fields ip ]
| ...

If there isn't any field in your logs you have to use the second search I hinted:

index = * [ | inputlookup CTI_Test_www.csv | rename ip_lookup AS query | fields query ]
 | ...

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...