Input from csv from my local drive

wang · ‎04-22-2013

I have a list of IPs that I'd like to use as input to a saved search. Instead of manually typing (ip=x OR ip=y OR ip=z), if I have a csv file on my local drive with a single column of IPs, is there a way for the saved search to dynamically import the IPs?

I've look at inputcsv but that seems to expect the csv to reside on the server. I want to pull the csv from my local disk, or write a form that prompts for the location of the csv on my local disk.

sinclairmachado · ‎04-23-2013

Just an alternative, you can use lookup table.
Lookup table has back end as a csv file. You can update the csv (lookup table) from the query.

But I guess your request is to use the csv from local machine, it will be difficult;
1) It will require authentication
2) Data will not be consistent across users in the organization as they will not be able to get the results that you can see (if there are more than 1 users of splunk).

lraab · ‎04-23-2013

It isn't really practical to ssh the file up to the server.
1. It is too hard to remember the incantation, and would take too long. Not all of our Splunk users are that savvy.
2. Our Splunk users do not have SSH access to the production splunk server machine

Any chance of making this an enhancement request?

sbrant_splunk · ‎04-22-2013

As you've discovered, inputcsv is the correct answer here. If the csv file can only be generated on your local drive, you should write a script that takes the local file and uploads it to the proper location on the Splunk server.

Input from csv from my local drive

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life