Splunk lookuptable

0
votes

I have a csv with different kind of IoCs in it like email addresses, IPs, etc. I want to run a search on any of my indexes which would return each record that has any match with my list. This is what I want to achieve:

index=* "item1" OR "item2" OR "item3"

Since I have a thousand items on my list this won't work. So, I uploaded my csv as a lookuptable and tried the following:

index=* [| inputlookup  test.csv]

This returns nothing, but if I search for each item "manually" then I get results. What am I missing?

1
splunksplunk-query
This Splunk Answers Link looks like it contains what you are trying to figure out how to do. I don't really want to steal someone else's answer though - Colby

1 Answers

1
votes

It would help to know the format of your CSV, but this should help.

index=* [| inputlookup  test.csv | format]

If you insist on using index=*, do yourself a favor and use a small time window.