topic Re: How do I combine data from CSV with data from index in Splunk Search

How do I combine data from CSV with data from index

WXY — Sat, 29 Sep 2018 08:52:36 GMT

Now ,I have a lookup named exchange.csv , and index="exchange_data"
The data in the exchange.csv is extracted from index="exchange_data"It contains the fields extracted from the index data :

Sys_Name         App_Name
sys1              app1
sys2              app2

such as :

there are fields in the index="exchange_data" : ID,priority;
I want to get a table contains : ID ,priority, sysname ,appname
such as :

How can I combine them?

Re: How do I combine data from CSV with data from index

jkat54 — Tue, 29 Sep 2020 21:28:14 GMT

Try this

index=exchange_data | lookup exchange.csv Sys_Name as host OUTPUT App_Name | table _time ID, Priority Sys_Name, App_Name

You have to have a field in your data that matches a field in your lookup.
They must match the field name and the value with cAsE sensitivity.

If Sys_Name matches the host field in your exchange_data index then my search above would work fine. If you don’t have any fields in your data that match your lookup, you can’t really use the lookup.

http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Lookup

Re: How do I combine data from CSV with data from index

WXY — Sun, 30 Sep 2018 01:33:17 GMT

but I can only use this command ：|inputcsv
Other commands cannot query my csv file

Re: How do I combine data from CSV with data from index

ddrillic — Tue, 29 Sep 2020 21:24:52 GMT

Interesting command this inputcsv command -

inputcsv

It says -

For Splunk Enterprise deployments, loads search results from the specified .csv file, which is not modified. The filename must refer to a relative path in $SPLUNK_HOME/var/run/splunk/csv (or $SPLUNK_HOME/var/run/splunk/dispatch// if dispatch = true). If the specified file does not exist and the filename does not have an extension, then the Splunk software assumes it has a filename with a .csv extension.

Re: How do I combine data from CSV with data from index

WXY — Sun, 30 Sep 2018 01:45:04 GMT

And the fields in the exchange.csv are custom and do not exist in the data. The field value is in the data

Re: How do I combine data from CSV with data from index

WXY — Sun, 30 Sep 2018 01:58:19 GMT

I know this .But I can not use it to associate exchange.csv with index = exchange_data

Re: How do I combine data from CSV with data from index

jkat54 — Mon, 01 Oct 2018 11:47:17 GMT

If 0 fields in the csv match 0 fields in your data. Then you’ll not be able to use the lookup in a traditional manner.

Instead you could do this

| inputlookup yourloolup.csv
| append [ search index=exchange_data]

Re: How do I combine data from CSV with data from index

mstjohn_splunk — Mon, 01 Oct 2018 19:29:40 GMT

Hi @wxy,

Did either of the answers below solve your problem? If so, please resolve this post by approving one of them!
If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!