![]() ![]() This expanded search will be index=proxy123 activity="download" OR OR may be more suitable to your data. This approach assumes that you have the username field extracted in the first place. What happens here in the subsearch (the bit in the ) is that the subsearch will be expanded first, in this case, to OR OR So your main search will turn into index=proxy123 activity="download" OR OR may be more efficient than returning all the data in the index, then discarding anything that doesn't match the list of users. Now, depending on the volume of data you have in your index and how much data is being discarded when not matching a username in the CSV, there may be alternate approaches you can try, for example, this one using a subsearch. if Source got passed back at all, it would act as a limit on the main search, rather than giving extra information. To learn more about the lookup command, see How the lookup command works. Try the following index=proxy123 activity="download" | lookup username.csv users AS username OUTPUT users | where isnotnull(users) sbbadri - The user didnt say so, but the brackets indicate that this is a subsearch, so this solution will not work. lookup command examples Download topic as PDF lookup command examples The following are examples for using the SPL2 lookup command. ![]() Fortunately, the lookup command has a mechanism for renaming the fields during the lookup. In the lookup file, the name of the field is users, whereas in the event, it is username. 18 in Generic Summary Details Installation Troubleshooting Contact Version History This add-on allows you to use ChatGPT in the splunk search bar, using the 'ask' command. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |