Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

query using file with list of names

hawkeyesc72
New Member
yesterday

I've got a list of over 100 account names and I'd like to search Splunk to find out the most recent activity (if any) the account performed.

Is it possible to create a search query that points Splunk to the file, it grabs the account names from the file, then performs some configured search and returns the results I need in a table?

I'd prefer not having to go through each account name one by one.

Thank you in advance for any help you can provide.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
yesterday

You can use a subsearch to filter your main search, so, assuming you have loaded your list of names into a lookup, and that your data keeps the name in the same field in all your events, you could try something like this

index=<your index> [| inputlookup <your lookup file>.csv | table name | format]
| stats latest(_time) as latest_activity by name

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
2 hours ago

There are two techniques for solving such problem and picking the right one might depend on your use case.

One has been already shown by @gcusello and @ITWhisperer and involves a subsearch. This way you get a set of conditions for your main search by evaluating the subsearch which lists the entries from your lookup. 

Another possible way of going about it is to run a general search and then use the lookup to filter the results

Like

index=<whatever>
| stats max(_time) as latest_activity_time by user
| lookup <your_lookup.csv> lookupuser AS user OUTPUT user AS matcheduser
| search matcheduser=*

 

0 Karma
Reply
Solved! Jump to solution

hawkeyesc72
New Member
yesterday

Took a little tweaking but I finally got it to run. This will save us a ton of time in the long run. Thank you both for the suggestions!

0 Karma
Reply
Solved! Jump to solution

hawkeyesc72
New Member
yesterday

Thank you! I will definitely start checking these out! I appreciate the assist!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
yesterday

Hi @hawkeyesc72 ,

yes, it's possible:

you have to put this list in a lookup (e.g. my_lookup.csv) and use it in a subsearch, putting attention that the column name in the lookup is the same of the field in your search.

So if the field is Account_name, bith in lookup and in the main search, you could run something like this:

index=your_index [ | inputlookup my_lookup.csv | fields Account_name ]
| ...

if the column name in lookup is diferent than the field in the main search, you have to rename it in the subsearch.

if you want to search the names in the lookup as free text search, you could run

index=your_index [ | inputlookup my_lookup.csv | rename Account_name AS query | fields query ]
| ...

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
yesterday

You can use a subsearch to filter your main search, so, assuming you have loaded your list of names into a lookup, and that your data keeps the name in the same field in all your events, you could try something like this

index=<your index> [| inputlookup <your lookup file>.csv | table name | format]
| stats latest(_time) as latest_activity by name
0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...