Getting Data In

Reference values in CSV versus hardcoding search query for desired results

orion44
Communicator

It is possible to have Splunk reference values inside a CSV file at search time? This is much needed as I'm currently hardcoding static values into multiple reports' search queries.

Example report:
index=datalog AND Name=Tim AND Name=Bob AND Name=Jenn AND Name=Stacy | table Name _time

How can I put the names into a CSV (on the indexer) to be referenced at search time for multiple reports?

Desired result:
names.csv (Name each line)
index=datalog AND Name IN names.csv | table Name _time

0 Karma

Shan
Builder

Dear @orion44,

Write now your writing query as mentioned below.
Example report:
index=datalog AND Name=Tim AND Name=Bob AND Name=Jenn AND Name=Stacy | table Name _time

Your wishing to write the query as mentioned below. you don't want to hard-coding the Name value in query. You need to store it in a CSV file and use it in all the query. am i right.
Desired result:
names.csv (Name each line)
index=datalog AND Name IN names.csv | table Name _time

Steps:
1. create a csv file and enter all the names in it.
2. upload the names.csv file as lookup table. Follow the steps in below link. Filed name in both names.csv and index=datalog should be same.
[https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationto...]
3. Use the lookup file and create a query as mentioned below.

 index=datalog 
| lookup names.csv Name OUTPUTNEW   Name
| table Name _time

Give a try and let me know whether its works or not..

Thanks ..

0 Karma

orion44
Communicator

Thank you for the suggestion. Unfortunately a static lookup doesn't achieve what I want as the names in names.csv changes frequently. I just need to be able to reference variables (names) in a csv file instead of hardcoding them at search time.

0 Karma

mydog8it
Builder

Try using 'join' to pull in the values from the csv. Assuming the data has a field called 'name' as well as the csv the search would look like this:
index=datalog | join name [inputlookup names.csv] | table name _time

0 Karma

mydog8it
Builder

I think I might have misunderstood your question.... My suggestion above would pull names from a csv and look for them in the data. If you are wanting to create a csv that contains the name and _time from the data try something like this (you will need to decide on append):
index=datalog | table name _time | outputlookup append=[true or false] names.csv

Then you can use join as shown above for report generation.

0 Karma

orion44
Communicator

Thanks, I'm wanting to match strings inside a csv (on the indexer) when I perform a query for specific names (as part of a eval statement) at search time. Currently I'm hardcoding the names into the search query – however this method doesn't scale and requires updating multiple reports when names are added to the required search criteria.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...