Solved: How to add a column/field based on csv table

AllenZhang · ‎10-01-2015

I have a search like:
sourcetype="AAA"|table _time userid, and I have a table like userid, username,
how to make the result as .....|table _time userid username.

pradeepkumarg · ‎10-01-2015

upload your csv as a lookup table. Once you create a definition for your lookup, you can achieve with the below search

sourcetype="AAA" | lookup your_csv_definition_name userid output username | table _time userid username

View solution in original post

AllenZhang · ‎10-02-2015

I was going to accept both answers, but the system only allows one. Thanks to both of you!

richgalloway · ‎10-01-2015

Something like this should get you started.

sourcetype="AAA" | lookup file.csv userid OUTPUT username | table _time userid username

If you create an automatic lookup you can omit the lookup command from the search.

---
If this reply helps you, Karma would be appreciated.

pradeepkumarg · ‎10-01-2015

upload your csv as a lookup table. Once you create a definition for your lookup, you can achieve with the below search

sourcetype="AAA" | lookup your_csv_definition_name userid output username | table _time userid username

AllenZhang · ‎10-01-2015

Thanks for quick answer. I am still struggling how to upload the csv file from my computer to splunk, to make it available to the lookups. Do I need to save it to some certain folder, anything like "import" I need to do?

pradeepkumarg · ‎10-01-2015

go to settings -> lookups >lookup table files -> new

How to add a column/field based on csv table

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies