- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- serach not working with input csv
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
serach not working with input csv
Hi,
I have a input lookup file called "services" and I need to search all values of a field (channels) from that csv file to a new search. I am using append for this.
Here is my search
index="apache_logs" | append [ inputlookup services | fields channels ]
But the problem is I tried to validate the search by using the following, which is adding all the values of the field - channels using OR and i am getting different results.
index="apache_logs" channel1 OR channel2 OR channel3 .....OR channel25
Am i doing anything wrong here ?
Thanks fro your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your goal it sounds like you shouldn't be using append at all. append is used for adding search results to the ones that are already there. It does not filter those search results.
Just remove | append and you should be good to go:
index="apache_logs" [| inputlookup services | fields channels ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That query is in practice identical to the one I wrote, so if one works but not the other that's kind of odd.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for that. It didn't work. But i have made some changes to the search and it seems to be working now (but need to validate it)
index="apache_logs" |search [| inputlookup services | fields channels ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to use the fields for filtering the search.
I want to search the index="apache_logs" with all the values of the field "channels" from lookup "services".
It would give me a result equivalent to
index="apache_logs" channel1 OR channel2 OR channel3 .....OR channel25
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm struggling to understand the question. Maybe it's just me missing the meaning but I don't understand - could you explain the problem more clearly? Do you want to append the results from the services CSV rather than just use it for filtering the search?
I'm guessing you mean | append [|inputlookup services | fields channels] (with the | before inputlookup), otherwise Splunk would throw an error.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
