Re: Is it possible to feed splunk a file and use v...

dstonecypher · ‎01-03-2013

I need to search for a list of values for a specific field. How can I do this? The list needs to be dynamic.

lguinn2 · ‎01-03-2013

Okay, I just thought of a reasonable interpretation for your question. If the question is:

I have a list of values that I need to search for:

error22

error374

error29

This list changes regularly. I need to search Splunk for occurrences of these values.

I don't want to type (error22 OR error374 or error29 ...) in the search box; it is too long and changes too often.

Can I tell Splunk to search for this list of values from a file instead?

Then the answer is still yes: use a lookup table. There is a tutorial on lookups in the manual. Put the list in a .csv and create the lookup table. Then you can use the table to search by giving the following command:

yourothersearchcriteria [ | inputlookup yourlookupname ]

Whenever you need to change the criteria, you can simply upload a fresh copy of the .csv file,

lguinn2 · ‎02-05-2013

Note that this is NOT doing a lookup! It is actually using the inputlookup command as part of a subsearch.

Michael_Schyma1 · ‎01-03-2013

This might help out somewhat:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources

lguinn2 · ‎01-03-2013

Yes.

If you want more help than that, you will have to provide more detail in your question!

If you can provide a few events from the file (sanitized of course) and an example of what you want to search for, I am sure the community can help. Oh, and what exactly do you mean by "dynamic"? I assume that you mean the search terms will need to change regularly...

🙂

Is it possible to feed splunk a file and use values from it in a search?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...