fishmong3r
Reputation: 1434
Splunk lookuptable
I have a csv with different kind of IoCs in it like email addresses, IPs, etc. I want to run a search on any of my indexes which would return each record that has any match with my list.
This is what I want to achieve:
index=* "item1" OR "item2" OR "item3"
Since I have a thousand items on my list this won't work. So, I uploaded my csv as a lookuptable and tried the following:
index=* [| inputlookup test.csv]
This returns nothing, but if I search for each item "manually" then I get results. What am I missing?
Upvotes: 0
Views: 76
Answers (1)
RichG
Reputation: 9926
It would help to know the format of your CSV, but this should help.
index=* [| inputlookup test.csv | format]
If you insist on using index=*, do yourself a favor and use a small time window.
Upvotes: 1
Related Questions
- Extract data from splunk
- Splunk query with conditions of an object
- Splunk conditional search
- Search for specific patterns in Splunk cloud platform
- splunk query based on log stdout
- Searching for a particular kind of field in Splunk
- Splunk query based on the results of another query
- Splunk subsearch for regex outputs
- Splunk query to filter results
- Splunk search a pattern