topic Re: Why is my inputlookup search not pulling a field from a CSV file needed to populate a timechart? in Splunk Search

Why is my inputlookup search not pulling a field from a CSV file needed to populate a timechart?

athorat — Fri, 28 Aug 2015 22:05:10 GMT

Requirement was to delete the contents of the index as soon as a new .csv file arrives and index the contents of the new .csv file to use in a dashboard until the next data arrives.

There is a key value pair called state, but that is not visible when I use:

| inputlookup  test.csv

But when I index the data, I see the state field and can create a timechart.

This works:

index=input.csv |  timechart  count(state) as Count by state

The problem is when I use:

|inputlookup test.csv| timechart  count(state) as Count by state

This does not work as its not able to find the state field, so I tried to use

|inputlookup test.csv|fields state | timechart  count(state) as Count by state

but even this does not work.

However, when I used:

|inputlookup test.csv|fields state

it pulls the state field.

How to get the timechart working using inputlookup?

Re: Why is my inputlookup search not pulling a field from a CSV file needed to populate a timechart?

woodcock — Sat, 29 Aug 2015 02:42:55 GMT

Try using inputcsv instead of inputlookup like this:

| inputcsv test.csv | timechart count AS Count BY state

Re: Why is my inputlookup search not pulling a field from a CSV file needed to populate a timechart?

athorat — Mon, 31 Aug 2015 18:42:26 GMT

Re: Why is my inputlookup search not pulling a field from a CSV file needed to populate a timechart?

woodcock — Mon, 31 Aug 2015 18:58:19 GMT

There has to be something wrong with your test.csv. What are the first 2 lines of the file?

Re: Why is my inputlookup search not pulling a field from a CSV file needed to populate a timechart?

athorat — Tue, 29 Sep 2020 07:12:14 GMT

assigned_to u_vendor_ticket state sys_created_on
Jyotsna In Progress 6/17/2015 11:50

u_vendor_ticket does not have any value.

Re: Why is my inputlookup search not pulling a field from a CSV file needed to populate a timechart?

woodcock — Mon, 31 Aug 2015 19:12:08 GMT

Based on this first-2-lines sample of test.csv:

assigned_to u_vendor_ticket state sys_created_on
Jyotsna In Progress 6/17/2015 11:50

The problem is that it isn't a CSV! There are no commas. Assuming that the file contains Tabs (TSV) so you can convert it to CSV with linux shell like this:

sed "s/\t/,/g" test.csv

In any case, you have to convert it to a CSV (fields separated by commas) before anything will work.