Splunk Search

serach not working with input csv

KarunK
Contributor

Hi,

I have a input lookup file called "services" and I need to search all values of a field (channels) from that csv file to a new search. I am using append for this.

Here is my search

index="apache_logs" | append [ inputlookup services | fields channels ]

But the problem is I tried to validate the search by using the following, which is adding all the values of the field - channels using OR and i am getting different results.

index="apache_logs" channel1 OR channel2 OR channel3 .....OR channel25

Am i doing anything wrong here ?

Thanks fro your help.

Tags (2)
0 Karma

Ayn
Legend

Based on your goal it sounds like you shouldn't be using append at all. append is used for adding search results to the ones that are already there. It does not filter those search results.

Just remove | append and you should be good to go:

index="apache_logs" [| inputlookup services | fields channels ]

Ayn
Legend

That query is in practice identical to the one I wrote, so if one works but not the other that's kind of odd.

0 Karma

KarunK
Contributor

Hi,
Thanks for that. It didn't work. But i have made some changes to the search and it seems to be working now (but need to validate it)

index="apache_logs" |search [| inputlookup services | fields channels ]

0 Karma

KarunK
Contributor

I am trying to use the fields for filtering the search.

I want to search the index="apache_logs" with all the values of the field "channels" from lookup "services".

It would give me a result equivalent to

index="apache_logs" channel1 OR channel2 OR channel3 .....OR channel25
0 Karma

Ayn
Legend

I'm struggling to understand the question. Maybe it's just me missing the meaning but I don't understand - could you explain the problem more clearly? Do you want to append the results from the services CSV rather than just use it for filtering the search?

I'm guessing you mean | append [|inputlookup services | fields channels] (with the | before inputlookup), otherwise Splunk would throw an error.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...