topic Re: how display multiple fields in one lookup command from one csv file in Splunk Search

how to display multiple fields in one lookup command from one csv file

Bracha — Mon, 22 Jul 2024 12:10:58 GMT

This is a line of code that takes the fields from the CSV file

|lookup xxx.csv id OUTPUTNEW system time_range

I want to add one field

|lookup xxx.csv id OUTPUTNEW system time_range count_err

When I do this nothing is added, why?
I would appreciate your help, thanks

Re: how display multiple fields in one lookup command from one csv file

ITWhisperer — Mon, 22 Jul 2024 11:30:03 GMT

Either count_err doesn't exist in xxx.csv or no events have a value in id which matches an entry in xxx.csv with a corresponding value in count_err

Re: how display multiple fields in one lookup command from one csv file

Bracha — Mon, 22 Jul 2024 13:51:32 GMT

Hi @ITWhisperer

Thenks for reply

count_err is exist in xxx.csv

I forgot to mention that when I do that it does appear

[inputlookup xxx.csv |search dag_id=**** |table system, time_range, count_err]

but I have to do that in lookup

Thank

Re: how display multiple fields in one lookup command from one csv file

ITWhisperer — Mon, 22 Jul 2024 13:57:37 GMT

Does count_err have a value for every id you have in your events?

Re: how display multiple fields in one lookup command from one csv file

Bracha — Tue, 23 Jul 2024 05:37:22 GMT

yes

it is a values for id in my events

Re: how display multiple fields in one lookup command from one csv file

ITWhisperer — Tue, 23 Jul 2024 07:45:50 GMT

How large is your csv?

Re: how to display multiple fields in one lookup command from one csv file

Bracha — Tue, 23 Jul 2024 08:18:38 GMT

5 columns and 79 rows

Re: how display multiple fields in one lookup command from one csv file

Bracha — Wed, 24 Jul 2024 11:17:28 GMT

5 columns and 79 rows

Re: how display multiple fields in one lookup command from one csv file

ITWhisperer — Wed, 24 Jul 2024 12:53:45 GMT

OK so this size doesn't look like it should give you a problem, so it is possibly down to your actual data. Does it fail for all values of id? Are there other fields that you could try adding instead of count_err which might work? Can you break down the problem further to try and isolate the issue?

Re: how display multiple fields in one lookup command from one csv file

Bracha — Wed, 24 Jul 2024 18:52:57 GMT

In the CSV file I have id, system, time_range, count_err

I received a ready dashboard that monitors the DAGS from the AIRFLOW
I am interested in creating for each DAG its own alert with the same logic of the dashboard only with a small change,

in the dashboard I mark success if it returned from the AIRFLOW logs success in a time frame I gave the same field in the CSV file and ERROR if it did not return success or returned FAILED,
In the alert, I want that if I receive faild as the number of times listed in the CSV file or if it does not return success at the time_range I specified in the CSV file, that it be ERROR
The dashboard is taken from the file with the syntax of

[|inputlookup xxx.csv .....] |lookup xxx.csv dag_id OUTPUTNEW system time_range

And I want to add a field

|lookup xxx.csv dag_id OUTPUTNEW system time_range count_err

And I don't know why the extra field is not displayed

Re: how to display multiple fields in one lookup command from one csv file

manjunathmeti — Thu, 25 Jul 2024 03:01:42 GMT

hi @Bracha,

Try with OUTPUT.

If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist in the events.
If the OUTPU T clause is specified, the output lookup fields overwrite existing fields in the events.

Re: how to display multiple fields in one lookup command from one csv file

Bracha — Thu, 25 Jul 2024 06:11:02 GMT

Hi @manjunathmeti

thanks for reply

I tried OUTPUT and its the same behavior

Re: how display multiple fields in one lookup command from one csv file

Bracha — Thu, 25 Jul 2024 06:12:42 GMT

I note that it does not alert the field that does not exist,
When I make another file that doesn't have the field, it does warn

Re: how display multiple fields in one lookup command from one csv file

Bracha — Thu, 25 Jul 2024 06:26:45 GMT

Hey
Thank you for being so helpful
Glad to say I solved it
It turns out I forgot to set it as a stats....