Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a search to compare the value of a field with a CSV table?

soesia12
New Member
‎03-13-2017 10:28 AM

Hello!

I'm currently trying to compare the value of a field with a csv table.

I want to compare the destination port (dst_port) with the values of pwhitelist.csv and display the ports that are not included in the csv data.

For example: the csv file consists of the ports 80, 8080, 443 and 8000 want to display all dst_ports that are not 80, 8080, 443 or 8000.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-13-2017 10:47 AM 
yourBaseSearch NOT [|inputlookup pwhitelist.csv | fields Ports | rename Ports AS dst_port | format]

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-13-2017 10:47 AM 
yourBaseSearch NOT [|inputlookup pwhitelist.csv | fields Ports | rename Ports AS dst_port | format]
Reply
Solved! Jump to solution

soesia12
New Member
‎03-13-2017 11:58 PM

Hey!

Doesn't work. It just lists all ports.

In the file there are just a few ports. At the moments it's just for testing.
pwhitelist.csv:

In the file is only one column with the header "Ports".
The values 80,443,8000,8080 are in that column.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎03-14-2017 04:03 AM

I edited my answer, please try the new version. If dst_port isn't the field name in your index, then change it to the field name you have for the ports in your indexed data.

0 Karma
Reply
Solved! Jump to solution

soesia12
New Member
‎03-14-2017 05:44 AM

thanks so much ! it worked

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...