An external script saves "host" values in a csv, b...

tkwaller · ‎04-22-2015

Hello

I have an external script that runs and saves the results in a file I called puppet_results.csv in $SPLUNK_HOME/etc/apps/search/lookups. I verified that it returns results by running | inputlookup puppet_results.csv which returned 482 results so the data is there.

So I created a search:

index=_internal | dedup host | inputlookup append=t puppet_results.csv | stats count by host | where count < 2

I get the results of the initial search, but get no results from the "inputlookup" portion.

The reason is that the field host in the puppet_results.csv from the script is not named "host". It's named after the first result in the file.

Any idea on how I could get the file to name the field as "host"?

Thanks for the help!

aalanisr26 · ‎04-22-2015

The easiest way would be to change the external script to include the header, but if this is not an option we need to fix the lookup to force "host" header, this is what I would do:

|inputlookup puppet_results.csv | transpose|transpose|eval host='row 1'| fields - "row 1",column | outputlookup puppet_resultswithheader.csv

that would fix the column name as host and use the first value you had before as a value not as a header.

then you can run your query:

 index=_internal | dedup host | inputlookup append=t puppet_resultswithheader.csv | stats count by host | where count < 2

aweitzman · ‎04-22-2015

The easiest thing to do here would probably be to change your external script so that the first line of your CSV contains the field names of the columns.

An external script saves "host" values in a csv, but names the field after the first result. How do I get the file to name the field "host" to run an inputlookup?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?