I would like to see either matching or non-matching transaction names returned by transaction_name column from transaction.csv file with respect to events in index.

But above search query is not returning any data, when I executed above query it returned no result found.

Please provide some useful raw events and your expected result, otherwise there is no way for anyone to help you get the result you want 😉

My index name is iot which is generating number of events as below,

index=iot

Below is the transaction value contained in transaction_name csv from transaction.csv lookup and events from iot index

trnsaction_name: WSVCUpdateMilestone
160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0

transaction_name: Workflow
160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0

transaction_name: DBServerId
160701 09:57:32.266 (D 5) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] DBServerId (FX wf_Engine.c 659) Account server: 3

transaction_name: CallData
160701 09:57:32.266 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] CallData (FX wf_Engine.c 701) CONTENT IN DEBUG FILE

Now, I have a lookup table named transaction.csv contains one colunm, transaction_name. The goal is to have Splunk go through the lookup table and match text in the column, transaction_name with the index iot. and return either matching or non-matching term

Lookup table is "transaction.csv" having one column named, transaction_name it have N numbers of entries (1000 entries) follows:

transaction_name
WSVCUpdateMilestone
Workflow
DBServerId
CallData
....
These are thousands of transaction name contained in lookup table, we want to check whether index is returning any events containing above transaction value.

Manually executing search query is difficult for thousands of entries like,

index="index_name" "transaction_name"

This is why we want to use lookup which will go through index events and return list of either matching or non_matching transaction values from table.

Any help would be great. I have tried the below:

index=iot [|inputlookup transaction.csv | return transaction_name]

But above search query is not returning any data, when I executed above query it returned no result found.

II have a lookup table named transaction.csv contains one colunm, transaction_name. The goal is to have Splunk go through the lookup table and match text in the column named, transaction_name. and return a matching term

Lookup table is "transaction.csv" having one column named, transaction_name it have N numbers of entries (1000 entries) follows:

transaction_name
status
result
failed
success
report
idle
....
Any help would be great. I have tried the below:

index=index_name [| inputlookup transaction.csv | eval search=transaction_name | table search]

Above search query not returning matching terms in table format.

I would like to see output of matching terms(from csv file and events) in table format.