Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

lookup/inputlookup from csv

barneser
Engager
‎01-28-2020 12:31 AM

Hey,

Im trying to search splunk indexes, for the content within a CSV.

The CSV will eith contain ip addresses or urls and has no headers. In the case i have called it Test_www.csv

I have tried a few things i have found online with no luck.
index = * [| inputlookup CTI_Test_www.csv ]

The aim would be that on an adhoc basis, i will upload the csv and see if we have had any hits on the domains or ip's previously.

Thanks for your help.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-28-2020 05:54 AM

Hi @barneser,
when you load a csv in a lookup you always have to insert an header with field names, if not, you'll have as field names: field1, field2, ...
Anyway, if in your logs you already extracted a field for e.g. IP (e.g. using a regex) called IP, you can run a search like this (if the lookup field containing the IP is field1):

index = * [ | inputlookup CTI_Test_www.csv | rename field1 AS IP | fields IP ]
| ...

If instead you didn't extract fields from your logs, you can use something like this, that runs a full text search:

index = * [ | inputlookup CTI_Test_www.csv | rename field1 AS query | fields query ]
| ...

Ciao.
Giuseppe

0 Karma
Reply

barneser
Engager
‎01-28-2020 06:13 AM

Hi Giuseppe,
thanks for your reply.

I have recreated the csv, added the field name "ip_lookup" , put google.com as the value and ran the below search.

index = * [|inputlookup Test_www.csv |fields ip_lookup]

Unfortunatly no hits, but if i just search for index = * google.com i get multiple hits.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-28-2020 06:29 AM

Hi @barneser,
As I said, the fieldname that you use in lookup (ip_lookup) must be already extracted in your logs and must have the same name, otherwise you cannot use this search.
In other words, if in your logs there's a field called "ip", you have to rename the field in the lookup

index = * [|inputlookup Test_www.csv |rename ip_lookup AS ip | fields ip ]
| ...

If there isn't any field in your logs you have to use the second search I hinted:

index = * [ | inputlookup CTI_Test_www.csv | rename ip_lookup AS query | fields query ]
 | ...

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...