Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I display a matched value from a list.csv ?

packet_hunter
Contributor
‎01-22-2016 01:20 PM

For back ground please check the accepted answer for :
Best way to check email logs for recipients that are on a list

Scenario:
Searching for emails with a specific subject.
Need to know if any recipients are on a watch_list.csv (this has been accomplished by the following from somesoni2)
.... | lookup watch_list.csv emailaddress as recp OUTPUT flag | eval on_list=if(flag=1,"yes","no") | fields - flag ....

However, now I need the yes and the emailaddress that match the emailaddress on the watch_list.csv

Please provide an example.

Thank you

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-22-2016 01:39 PM

Just change your lookup command like this

..... | lookup watch_list.csv emailaddress as recp OUTPUT flag emailaddress | eval on_list=if(flag=1,"yes","no") | fields - flag

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-22-2016 01:39 PM

Just change your lookup command like this

..... | lookup watch_list.csv emailaddress as recp OUTPUT flag emailaddress | eval on_list=if(flag=1,"yes","no") | fields - flag
0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎01-22-2016 01:44 PM

I knew you would come thru!!!! Thanks for all the help, I was adding emailaddress after the pipe... d'oh
Thanks again

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎01-22-2016 02:06 PM

um, is there a way to arrange the columns so that on_list column comes before emailaddress?

0 Karma
Reply
Solved! Jump to solution

jluo_splunk
Splunk Employee
Splunk Employee
‎01-22-2016 01:33 PM

Are the email addresses stored in different field names? If so, try appending this to the end of your search

.. | where on_list="yes" AND  email1=email2
0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎01-22-2016 01:45 PM

Thank you, however Somesoni2's answer actually works better for me.

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎01-22-2016 01:28 PM

in other words, I want to add the emailaddress to the yes output....

eval on_list=if(flag=1, "Yes" --and the matching emailaddress

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...