Reporting

How do I associate the CSV file content generated by the outputcsv command with index data?

WXY
Path Finder

Hi,
Now I have to get a CSV file from an outputcsv command :

index="fortify"| stats values(Codelocation) as codelocation by source | rename source as source_yy| outputcsv three.csv

and I can get a outputcsv like this :

 codelocation              source_yy
/root/taw/a                a_such.xml
/home/wxy/bc           b_code.xml

I have the following index data :

user=L_cu;sys_name=project_1;codeL=/root/taw/a;status=not_online;
user=A_by;sys_name=project_2;codeL=/home/wxy/bc;status=not_online;

Now, I want to use the outputcsv command to get a outputcsv file containing codeL,sys_name,source_yy

like these :

     codeL                      sys_name                   source_yy
/root/taw/a                 project_1                    a_such.xml
/home/wxy/bc            project_2                    b_code.xml

codeL and codelocation have the same content.

What should I do?

0 Karma

HiroshiSatoh
Champion

I do not think that CSV is necessary.
You can edit it like this.

index="fortify"| stats values(Codelocation) as codeL  by source 
| rename source as source_yy
| join codeL  [search ( index data )| extract pairdelim=";", kvdelim="="]
| table codeL sys_name source_yy

※If you use CSV

( index data )| extract pairdelim=";", kvdelim="="]
 | join codeL  [search |inputcsv three.csv|renmae codelocation as codeL]
    | table codeL sys_name source_yy]
0 Karma

WXY
Path Finder

Thank you very much!

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...