I have some data, if the message contains a word w...

nagarjuna280 · ‎04-21-2017

I have some data, if the message contains a word which is in a csv file, then results should show in a table. How should I edit my search?

I have a csv file which contains keywords like:

kill
bomb
gun
drugs
Anthrax
Arms
Attack
Atomic
If the message contains more than one word like:

take your gun
kill him
And I search like this:

search | table message, id ,name
then results should look like this:

message id name

viji261992 · ‎10-05-2018

I have a .csv file whose name is bad.csv in which the column name is eventuei I want that column to be displayed in my report.
Please let me know how to pull the .csv file inside the query and display the "eventuei" column in the report.

niketn · ‎04-23-2017

Following query creates a dummy lookup using makeresults (In case of lookup file you can use inputlookup command instead.)

| makeresults
| eval findPattern="kill,bomb,gun,drugs,Anthrax,Arms,Attack,Atomic"
| makemv delim="," findPattern 
| mvexpand findPattern limit=10

Splunk's map command would be able to iterate though the keywords in the previous query

| map search="| makeresults | eval testData=\"Chuck Norris doesn't need gun to kill\"| eval matched=if(match(testData,\"$findPattern$\"),1,0)"
| search matched="1"
| stats sum(matched) as matched by testData
| table testData, matched

Combine the above two search which is a run anywhere example.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

I have some data, if the message contains a word which is in a csv file, then results should show in a table. How should I edit my search?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!