Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search keywords from .csv file

bagarwal
Path Finder
‎01-05-2017 12:14 AM

Hi All,

I want to run a query that search keywords from the .csv file . I have created lookup file and lookup definitions and can see see value present in .csv file after running |inputlookup abc.csv

Now, suppose earlier I want to run query like this
" index = <> keyword1 keyword2 | table name1, name2

want to use .csv file to search for keywords ( as there are many) and display the result in tabular format

Thanks in advance.

Regards,
Binay Agarwal

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2017 12:40 AM

Hi bagarwal,
to search keywords from a lookup you have to do this:

index=your_index [| inputlookup your_lookup | rename keyword AS query | fields query ] | table ....

The only problem is that it's very difficult to insert in a field the found keyword.
If you want this see this answer I received https://answers.splunk.com/answers/479831/how-to-search-for-a-pair-of-substrings-in-a-subsea.html.
Bye.
Giuseppe

0 Karma
Reply

bagarwal
Path Finder
‎01-05-2017 01:04 AM

Hi Giuseppe,

Thanks for response. The link you have given is no longer available. 😞

In the query
index=your_index [| inputlookup your_lookup | rename keyword AS query | fields query ] | table ....

didn't understand much the below part

rename keyword AS query | fields query ] . Does it mean all the keywords need to be write in rename ..
or any other better way we can present

Once again, thank you so much for the response.

Regards,
Binay Agarwal

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2017 01:37 AM

if you run a subsearch you use the fields result of the secondary search in the primary (e.g. index=... [ | index=... | dedup my_field | table my_field] means that you use all the values of the field my_field to search only in the my_field field that must be present in the primary search).
Renaming a field AS "query" or "SEARCH" and passing them to the primary search you don't search for the pair field=value but you run a full text search having in OR all the keywords of your lookup.
see https://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Changetheformatofsubsearchresults#The_sear...
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...