Splunk Enterprise

Search text list from inputlookup ignore quates

pkiselevs
Explorer

I have some trouble with search from csv list.

If in column is two words divided with space, searching done separately for both
Example:
sourcetype="WinEventLog:Security" ("Domain Admins") - gives correct result
litsearch (index=* sourcetype="WinEventLog:Security" "Domain Admins") | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

if i try to do like this with list

sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]

normalizedSearch litsearch (index=* sourcetype="WinEventLog:Security" ((Domain Admins) OR (Domain Users))) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

group_list.csv
group_name
Domain Admins
Domain Users

this search return result where is domain , users, admin found, but not "Domain Admins".
Tried adding quotes and delimiters, but this do not help

nr,group_name,desc
1,"Domain Admins",super
2,Domain Users,standard

Tags (1)
0 Karma
1 Solution

pkiselevs
Explorer

I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard

and quates are in search
normalizedSearch litsearch (index= sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))

only one moment that search is going long, but for start it is OK.

Thank you for advice!

Final search looks:

index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]

CSV

nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

sourcetype="WinEventLog:Security" [| inputlookup group_list.csv | eval group_name="\"".group_name."\""
return 10 $group_name]

OR

sourcetype="WinEventLog:Security" [| inputlookup group_list.csv | head 10 | table group_name | rename group_name as search]
0 Karma

pkiselevs
Explorer
  1. return Error in 'eval' command: The expression is malformed.
  2. return only first row in search, but is very fast

Thanks for advice

0 Karma

pkiselevs
Explorer

I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard

and quates are in search
normalizedSearch litsearch (index= sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))

only one moment that search is going long, but for start it is OK.

Thank you for advice!

Final search looks:

index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]

CSV

nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard

0 Karma

493669
Super Champion

Try this:

index=*  sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))

Let me know what output you are receiving?

0 Karma

pkiselevs
Explorer

You show me tip. I have added to csv like this
nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard

and quates are in search
normalizedSearch litsearch (index=* sourcetype="WinEventLog:Security" ("Domain Admins" OR "Domain Users")) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

Events returns exactly as from
index=* sourcetype="WinEventLog:Security" (("Domain Admins") OR ("Domain Users"))

only one moment that search is going long, but for start it is OK.

Thank you for advice!

Final search looks:

index=* sourcetype="WinEventLog:Security" [| inputlookup group_list.csv |
return 10 $group_name]

CSV

nr,group_name,desc
1,("Domain Admins"),super
2,("Domain Users"),standard

0 Karma

493669
Super Champion

use 101010 (code sample) to post search or code

0 Karma

felipesewaybric
Contributor

you can try ('Domain Admins' OR 'Domain Users')?

0 Karma

pkiselevs
Explorer

This option does not help, search return no hits.
litsearch (index=* sourcetype="WinEventLog:Security" (('Domain Admins') OR ('Domain Users'))) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

I think it perform 'Domain AND Admin' search not "Domain Admin"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...