Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- serach not working with input csv
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
serach not working with input csv
Hi,
I have a input lookup file called "services" and I need to search all values of a field (channels) from that csv file to a new search. I am using append for this.
Here is my search
index="apache_logs" | append [ inputlookup services | fields channels ]
But the problem is I tried to validate the search by using the following, which is adding all the values of the field - channels using OR and i am getting different results.
index="apache_logs" channel1 OR channel2 OR channel3 .....OR channel25
Am i doing anything wrong here ?
Thanks fro your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your goal it sounds like you shouldn't be using append at all. append is used for adding search results to the ones that are already there. It does not filter those search results.
Just remove | append and you should be good to go:
index="apache_logs" [| inputlookup services | fields channels ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That query is in practice identical to the one I wrote, so if one works but not the other that's kind of odd.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for that. It didn't work. But i have made some changes to the search and it seems to be working now (but need to validate it)
index="apache_logs" |search [| inputlookup services | fields channels ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to use the fields for filtering the search.
I want to search the index="apache_logs" with all the values of the field "channels" from lookup "services".
It would give me a result equivalent to
index="apache_logs" channel1 OR channel2 OR channel3 .....OR channel25
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm struggling to understand the question. Maybe it's just me missing the meaning but I don't understand - could you explain the problem more clearly? Do you want to append the results from the services CSV rather than just use it for filtering the search?
I'm guessing you mean | append [|inputlookup services | fields channels] (with the | before inputlookup), otherwise Splunk would throw an error.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
