Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

An external script saves "host" values in a csv, but names the field after the first result. How do I get the file to name the field "host" to run an inputlookup?

tkwaller
Builder
‎04-22-2015 05:35 AM

Hello

I have an external script that runs and saves the results in a file I called puppet_results.csv in $SPLUNK_HOME/etc/apps/search/lookups. I verified that it returns results by running | inputlookup puppet_results.csv which returned 482 results so the data is there.

So I created a search:

index=_internal | dedup host | inputlookup append=t puppet_results.csv | stats count by host | where count < 2

I get the results of the initial search, but get no results from the "inputlookup" portion.

The reason is that the field host in the puppet_results.csv from the script is not named "host". It's named after the first result in the file.

Any idea on how I could get the file to name the field as "host"?

Thanks for the help!

0 Karma
Reply

aalanisr26
Path Finder
‎04-22-2015 02:29 PM

The easiest way would be to change the external script to include the header, but if this is not an option we need to fix the lookup to force "host" header, this is what I would do:

|inputlookup puppet_results.csv | transpose|transpose|eval host='row 1'| fields - "row 1",column | outputlookup puppet_resultswithheader.csv

that would fix the column name as host and use the first value you had before as a value not as a header.

then you can run your query:

 index=_internal | dedup host | inputlookup append=t puppet_resultswithheader.csv | stats count by host | where count < 2
0 Karma
Reply

aweitzman
Motivator
‎04-22-2015 06:56 AM

The easiest thing to do here would probably be to change your external script so that the first line of your CSV contains the field names of the columns.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top