Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

An external script saves "host" values in a csv, but names the field after the first result. How do I get the file to name the field "host" to run an inputlookup?

tkwaller
Builder
‎04-22-2015 05:35 AM

Hello

I have an external script that runs and saves the results in a file I called puppet_results.csv in $SPLUNK_HOME/etc/apps/search/lookups. I verified that it returns results by running | inputlookup puppet_results.csv which returned 482 results so the data is there.

So I created a search:

index=_internal | dedup host | inputlookup append=t puppet_results.csv | stats count by host | where count < 2

I get the results of the initial search, but get no results from the "inputlookup" portion.

The reason is that the field host in the puppet_results.csv from the script is not named "host". It's named after the first result in the file.

Any idea on how I could get the file to name the field as "host"?

Thanks for the help!

0 Karma
Reply

aalanisr26
Path Finder
‎04-22-2015 02:29 PM

The easiest way would be to change the external script to include the header, but if this is not an option we need to fix the lookup to force "host" header, this is what I would do:

|inputlookup puppet_results.csv | transpose|transpose|eval host='row 1'| fields - "row 1",column | outputlookup puppet_resultswithheader.csv

that would fix the column name as host and use the first value you had before as a value not as a header.

then you can run your query:

 index=_internal | dedup host | inputlookup append=t puppet_resultswithheader.csv | stats count by host | where count < 2
0 Karma
Reply

aweitzman
Motivator
‎04-22-2015 06:56 AM

The easiest thing to do here would probably be to change your external script so that the first line of your CSV contains the field names of the columns.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...