Solved: How can I display a matched value from a list.csv ...

packet_hunter · ‎01-22-2016

For back ground please check the accepted answer for :
Best way to check email logs for recipients that are on a list

Scenario:
Searching for emails with a specific subject.
Need to know if any recipients are on a watch_list.csv (this has been accomplished by the following from somesoni2)
.... | lookup watch_list.csv emailaddress as recp OUTPUT flag | eval on_list=if(flag=1,"yes","no") | fields - flag ....

However, now I need the yes and the emailaddress that match the emailaddress on the watch_list.csv

Please provide an example.

Thank you

somesoni2 · ‎01-22-2016

Just change your lookup command like this

..... | lookup watch_list.csv emailaddress as recp OUTPUT flag emailaddress | eval on_list=if(flag=1,"yes","no") | fields - flag

View solution in original post

somesoni2 · ‎01-22-2016

Just change your lookup command like this

..... | lookup watch_list.csv emailaddress as recp OUTPUT flag emailaddress | eval on_list=if(flag=1,"yes","no") | fields - flag

packet_hunter · ‎01-22-2016

I knew you would come thru!!!! Thanks for all the help, I was adding emailaddress after the pipe... d'oh
Thanks again

packet_hunter · ‎01-22-2016

um, is there a way to arrange the columns so that on_list column comes before emailaddress?

jluo_splunk · ‎01-22-2016

Are the email addresses stored in different field names? If so, try appending this to the end of your search

.. | where on_list="yes" AND  email1=email2

packet_hunter · ‎01-22-2016

Thank you, however Somesoni2's answer actually works better for me.

packet_hunter · ‎01-22-2016

in other words, I want to add the emailaddress to the yes output....

eval on_list=if(flag=1, "Yes" --and the matching emailaddress

Thank you

How can I display a matched value from a list.csv ?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio