Hi, All,
Here's what I have:
I have a csv file (1 column, 1000 values) which I've uploaded to the lookup dir:
"/opt/splunk/etc/users/my-user/my-app/lookups/test.csv"
I have a search result that displays (currently) all of the occurrences of 1 criteria item:
index="my-app" process="my-process" "string-condition-1" "main-string-condition"
Here's what I'm trying to achieve:
What I want to do is to replace the "main-string-condition" by the items in the csv file. So basically creating sort of a loop where Splunk will search the app log and look each time for a value from the CSV file, until it processes all the 1000 values in the CSV.
There would be many occurrences for each item of the CSV file, so I'd like to limit that to e.g. 1 occurrence per CSV file item. I know I can do that with | head 1 , but in this complex search not sure where to put it.
I've never worked with inputlookup yet, and not sure if that is the correct command to use, also seams like I need to use a sub-search here, but no sure how to bring it all together.
In the end I'd also like to export the results, but that I believe I can do simply from the results view.
Appreciate your help on this.
... View more