Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get a result from CSV file by searching in CSV?

srvnkumr36
Observer
‎08-16-2022 12:46 AM

Hi,

We have a CSV file with the master data where all the constants are stored and have four columns, in the Splunk query we will get one of the columns as a result.  need to change the outcome with another column name from the CSV file. 

 

Sample - We have an id like this - "58vv1578eff-985sfv294-asfd" from the query result and this need to be changed to -  2897 in the final result. 

 

TIA., 

 

Regards,

SM. 

Labels (1)
Labels
0 Karma
Reply

srvnkumr36
Observer
‎08-16-2022 01:06 AM

index=***** sourcetype="*****" "Properties.RequestPath"="*/v1/locations*" "Properties.StatusCode">399 "Properties.TraceId"!="" | dedup "Properties.TraceId" | rex field=RenderedMessage "/v1/locations/(?<LocationUUID>[^\"]+)" | table "Properties.TraceId" LocationUUID "Properties.StatusCode"| eval IsExist=1 | append [|inputlookup tam_inf_hosts.csv | table LocationUUID | eval IsExist=0] | stats max(IsExist) as Exist by LocationUUID | where Exist=0 | stats values(store) as Stores


above is the query. CSV file will have 2 columns - Location UUID and Host. 

Location UUID needs to be replaced by the host. No there is no index  on CSV file 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 01:22 AM

Hi @srvnkumr36,

the problem is that after a stats command you have only the fields in the stats, in your case you want to use  at the end of your search the field store that isn't present in the previous stats command, you you haven't it.

You have to modify the first stats command adding store.

index=***** sourcetype="*****" "Properties.RequestPath"="*/v1/locations*" "Properties.StatusCode">399 "Properties.TraceId"!="" 
| dedup "Properties.TraceId" 
| rex field=RenderedMessage "/v1/locations/(?<LocationUUID>[^\"]+)" 
| table "Properties.TraceId" LocationUUID "Properties.StatusCode"
| eval IsExist=1 
| append [
   | inputlookup tam_inf_hosts.csv 
   | table LocationUUID 
   | eval IsExist=0
   ] 
| stats max(IsExist) as Exist values(store) AS store by LocationUUID 
| where Exist=0 
| stats values(store) as Stores

Ciao.

Giuseppe

0 Karma
Reply

srvnkumr36
Observer
‎08-16-2022 02:45 AM

Still, the location UUID is not replaced by the Store number which is in the CSV file 😞 @gcusello 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 07:20 AM

Hi @srvnkumr36,

sorry but I don't understand: what's the relation between LocationUUID and store?

to aggregate two data sets (one from the main search and one from the lookup) you need to have the same fieldname.

What are the firlds from the main search and what the ones from the lookup to use?

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 01:03 AM

Hi @srvnkumr36,

could you share your search and the structure of your csv file?

Did you indexed it?

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...