Hi,
I am trying to use a CSV file to search variables as i was using an OR command but the amount of variables is increasing, however its not returning any results.
sourcetype=drm_ssa_log | search [ inputlookup domain_provisioning_master.csv | return 10000 hhRef ] | table hhRef
thanks.
So after alot of web searching i got the search string;
sourcetype=drm_ssa_log [inputlookup test_csv.csv | return 10000 hhRef=hhRef]
where test_csv.csv look like
hhRef
001AB12
0034526
00BD741
0035682A
it reads the list as hhRef and the return 10000 hhRef=hhRef mean return the 10000 values and assign the alias hhRef to the field hhRef.
I did try " | fields hhRef " but I think this just searches for 001AB12 accross the whole log file.
So after alot of web searching i got the search string;
sourcetype=drm_ssa_log [inputlookup test_csv.csv | return 10000 hhRef=hhRef]
where test_csv.csv look like
hhRef
001AB12
0034526
00BD741
0035682A
it reads the list as hhRef and the return 10000 hhRef=hhRef mean return the 10000 values and assign the alias hhRef to the field hhRef.
I did try " | fields hhRef " but I think this just searches for 001AB12 accross the whole log file.
Try this:
sourcetype=drm_ssa_log | lookup domain_provisioning_master foo | table hhRef
Where 'foo' is a field in both the drm_ssa_log sourcetype and in the CSV. The lookup command will return all fields from the CSV.
Thanks for the prompt response Rich,
I get the following error;
Error in 'lookup' command: The lookup table 'domain_provisioning_master' does not exist.
i think i should have said that the csv file is from an excel doc, its a single colomn of figures, the foo part is a field in the drm_ssa_log called hhRef, so my search looks like;
sourcetype=drm_ssa_log | lookup domain_provisioning_master hhRef | table hhRef
If hhRef already exists in drm_ssa_log, what is the lookup for?
If the CSV is just a single column of numbers, then you have no way to correlate the data in the CSV with the events from your search.
the hhRef in the csv table is a partial amount of users that need to be checked on the system
I don't understand that statement. How do you map hhRef from drm_ssa_log to the appropriate hhRef value in the CSV?
apologies i am very new to Splunk and coding.
I had an OR statement to find some entries in a log file where the field hhRef=001TR12, this was fine but the number of hhRef values is increasing and i thought using a csv file would be a better alternative to a really long OR statement which i keep having to edit.
So my csv file is;
001AB12
0034526
00BD741
0035682A
I want to parse these values into a search as the field hhRef.
hope thats clearer 🙂