Solved: How to take index names from a CSV file and run a ...

varad_joshi · ‎09-03-2015

I need to find various information (counts, last and first event received time, etc) on indexes listed in a CSV file. There will be a time when index names will be added and hence, I don't want to hardcode my search with index names. I want to keep them in CSV so its easy to update.

tom_frotscher · ‎09-03-2015

Hi,

you can use a subsearch:

[| inputlookup myindexes.csv | table index] | rest of your search

In this example, imagine there is a csv file with a column "index" and in this column you list all your indexes.
The subsearch is resolved like this

 index=index1 OR index2 ...

Splunk interprets your search like this:

index=index1 OR index=index2 ... | rest of your search

Greetings

Tom

View solution in original post

tom_frotscher · ‎09-03-2015

Hi,

you can use a subsearch:

[| inputlookup myindexes.csv | table index] | rest of your search

In this example, imagine there is a csv file with a column "index" and in this column you list all your indexes.
The subsearch is resolved like this

 index=index1 OR index2 ...

Splunk interprets your search like this:

index=index1 OR index=index2 ... | rest of your search

Greetings

Tom

varad_joshi · ‎09-07-2015

Thanks Tom, first option worked flawlessly. Appreciate your help.

How to take index names from a CSV file and run a stats count on the listed index names?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!