Splunk Search

lookup/inputlookup from csv

barneser
Engager

Hey,

Im trying to search splunk indexes, for the content within a CSV.

The CSV will eith contain ip addresses or urls and has no headers. In the case i have called it Test_www.csv

I have tried a few things i have found online with no luck.
index = * [| inputlookup CTI_Test_www.csv ]

The aim would be that on an adhoc basis, i will upload the csv and see if we have had any hits on the domains or ip's previously.

Thanks for your help.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @barneser,
when you load a csv in a lookup you always have to insert an header with field names, if not, you'll have as field names: field1, field2, ...
Anyway, if in your logs you already extracted a field for e.g. IP (e.g. using a regex) called IP, you can run a search like this (if the lookup field containing the IP is field1):

index = * [ | inputlookup CTI_Test_www.csv | rename field1 AS IP | fields IP ]
| ...

If instead you didn't extract fields from your logs, you can use something like this, that runs a full text search:

index = * [ | inputlookup CTI_Test_www.csv | rename field1 AS query | fields query ]
| ...

Ciao.
Giuseppe

0 Karma

barneser
Engager

Hi Giuseppe,
thanks for your reply.

I have recreated the csv, added the field name "ip_lookup" , put google.com as the value and ran the below search.

index = * [|inputlookup Test_www.csv |fields ip_lookup]

Unfortunatly no hits, but if i just search for index = * google.com i get multiple hits.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @barneser,
As I said, the fieldname that you use in lookup (ip_lookup) must be already extracted in your logs and must have the same name, otherwise you cannot use this search.
In other words, if in your logs there's a field called "ip", you have to rename the field in the lookup

index = * [|inputlookup Test_www.csv |rename ip_lookup AS ip | fields ip ]
| ...

If there isn't any field in your logs you have to use the second search I hinted:

index = * [ | inputlookup CTI_Test_www.csv | rename ip_lookup AS query | fields query ]
 | ...

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...