Splunk app available at
This supporting add-on provides one command — matched. It is built on the Splunk SDK.
Available at:
Version: 1.1
Command reference:
The matched command finds which terms exist in a field of text from a field or csv list of terms. Unless you specify a different field, matched results are based on the contents of the _raw field.
The result of the matched command appends a new field to each event. You can specify what to name the field with the labelfield parameter, which defaults to searchTermsMatched. Either csv or search_terms_field parameter is required. search_terms_field must be a comma separated list of terms.
Command was created because of need identified in Splunk Answers 33662 - Identfying the Search Terms Matched.
matched csv=\
csv|search_terms_field
Syntax: csv=\
Description: Specify a CSV filename including the complete path. Alternatively specify a field with a comma separated list of terms to search through.
Usage: For the csv option, if the CSV file is in an appropriate directory then merely specifying the filename.csv is sufficient, otherwise entire path will need to be entered: /home/user/filename.csv
textfield
Syntax: \
Description: The field used to search against for term matches.
Default: _raw
csvfield
Syntax: \
Description: The field inside the CSV file that will be used to search against for term matches (requires the csv option).
labelfield
Syntax: labelfield=\
Description: Name of the field to write the matched search terms to.
Default: searchTermsMatched
* [|inputlookup ransomware_variants|rename variant as search|format]|table _time _raw|matched csv="/opt/splunk/etc/system/lookups/ransomware_variants.csv"
EventCode=4625 | stats values(src) as src count as user_count by user,host,src_ip | matched csv="/opt/splunk/var/run/splunk/csv/previousFailedLogons.csv" textfield=user labelfield=recurFromLastReport csvfield=user
Support will be provided through Splunkbase
Fixed issue with textfield option not working properly. Added config to support syntax highlighting on version 6.5