Getting Data In

How to use a csv file to search fields.

ssaenger
Communicator

Hi,

I am trying to use a CSV file to search variables as i was using an OR command but the amount of variables is increasing, however its not returning any results.

sourcetype=drm_ssa_log | search [ inputlookup domain_provisioning_master.csv | return 10000 hhRef ] | table hhRef

thanks.

Tags (1)
1 Solution

ssaenger
Communicator

So after alot of web searching i got the search string;
sourcetype=drm_ssa_log [inputlookup test_csv.csv | return 10000 hhRef=hhRef]

where test_csv.csv look like
hhRef
001AB12
0034526
00BD741
0035682A

it reads the list as hhRef and the return 10000 hhRef=hhRef mean return the 10000 values and assign the alias hhRef to the field hhRef.

I did try " | fields hhRef " but I think this just searches for 001AB12 accross the whole log file.

View solution in original post

ssaenger
Communicator

So after alot of web searching i got the search string;
sourcetype=drm_ssa_log [inputlookup test_csv.csv | return 10000 hhRef=hhRef]

where test_csv.csv look like
hhRef
001AB12
0034526
00BD741
0035682A

it reads the list as hhRef and the return 10000 hhRef=hhRef mean return the 10000 values and assign the alias hhRef to the field hhRef.

I did try " | fields hhRef " but I think this just searches for 001AB12 accross the whole log file.

richgalloway
SplunkTrust
SplunkTrust

Try this:

sourcetype=drm_ssa_log | lookup domain_provisioning_master foo | table hhRef

Where 'foo' is a field in both the drm_ssa_log sourcetype and in the CSV. The lookup command will return all fields from the CSV.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ssaenger
Communicator

Thanks for the prompt response Rich,
I get the following error;
Error in 'lookup' command: The lookup table 'domain_provisioning_master' does not exist.

i think i should have said that the csv file is from an excel doc, its a single colomn of figures, the foo part is a field in the drm_ssa_log called hhRef, so my search looks like;

sourcetype=drm_ssa_log | lookup domain_provisioning_master hhRef | table hhRef

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If hhRef already exists in drm_ssa_log, what is the lookup for?
If the CSV is just a single column of numbers, then you have no way to correlate the data in the CSV with the events from your search.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ssaenger
Communicator

the hhRef in the csv table is a partial amount of users that need to be checked on the system

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't understand that statement. How do you map hhRef from drm_ssa_log to the appropriate hhRef value in the CSV?

---
If this reply helps you, Karma would be appreciated.
0 Karma

ssaenger
Communicator

apologies i am very new to Splunk and coding.
I had an OR statement to find some entries in a log file where the field hhRef=001TR12, this was fine but the number of hhRef values is increasing and i thought using a csv file would be a better alternative to a really long OR statement which i keep having to edit.
So my csv file is;
001AB12
0034526
00BD741
0035682A
I want to parse these values into a search as the field hhRef.

hope thats clearer 🙂

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...