Hi Everyone,
I have uploaded a CSV file to the lookup table. Only one column of data is in the list. for e.g. I put some web links into the list,
*.baidu.com
*.sina.com.cn
*.sohu.com
.....
How do I write a search to refer to the CSV file? Do I have put the info into a transforms.conf file?
I want to run a search like:
index=* sourcetype=websence http_method=post NOT {(*THE CSV FILE OF THE WEBSITE LINKS*)"} ..... | stats ...
Please help...
Like this:
index=* sourcetype=websence http_method=post NOT [inputcsv YouCSVFile | rename InsideCSVFieldName AS EventDataFieldName] ..... | stats ...
Firstly, refer to http://answers.splunk.com/answers/52580/can-we-use-wild-characters-in-lookup-table.html about setting up a lookup with wildcards. You may also want to add an additional field to the lookup file (maybe call it 'in_lookup').
Then you will want to do the following search...
index=* sourcetype=websence http_method=post | lookup weblink_lookup | where NOT in_lookup="*"