Getting Data In

Matching key word in CSV with other data

abbam
Explorer

Hi,

I have data in a CSV file which I am pulling in a search.

For example:

|inputlookup data.csv

description title
data here some random title

I have another CSV which contains key words such as:

keywords.csv
Word:
data
random
title

I want to basically match my data.csv with the keywords.csv and create a new column within the splunk search where the keyword matches.

So the outcome should be:

description title matches
data here some random title yes
test test2 no

how can this be achieved?

Thanks

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

pgrantham_splun
Splunk Employee
Splunk Employee

If I'm understanding the question correctly, this should do what you're asking for:

| inputlookup data.csv 
| join title type=left [|inputlookup keywords.csv | rename word as title | eval match="yes"]
| eval match=if(isnull(match),"no",match)
| table title description match

Where data.csv contains:
description,title
"here is a description","title"

and keywords.csv contains:
word
"some"
"random"
"title"
"here"

0 Karma

abbam
Explorer

Afraid that doesn't work.

The keywords need to be wildcarded and it needs to be found within a sentence within the data.csv file.

So data.csv includes this sentence:
"this is random data"

keyword.csv file:
random

needs to find the match in the data.csv and output a new field saying that it's matched

0 Karma

somesoni2
SplunkTrust
SplunkTrust

abbam
Explorer

+1 +1 thank you so much! got this working.

0 Karma

abbam
Explorer

I've tried to do something similar but cannot seem to get it working.

How do I reference the CSV as the source in the props.conf file?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...