How do I associate the CSV file content generated ...

WXY · ‎11-04-2018

Hi,
Now I have to get a CSV file from an outputcsv command :

index="fortify"| stats values(Codelocation) as codelocation by source | rename source as source_yy| outputcsv three.csv

and I can get a outputcsv like this :

 codelocation              source_yy
/root/taw/a                a_such.xml
/home/wxy/bc           b_code.xml

I have the following index data :

user=L_cu;sys_name=project_1;codeL=/root/taw/a;status=not_online;
user=A_by;sys_name=project_2;codeL=/home/wxy/bc;status=not_online;

Now, I want to use the outputcsv command to get a outputcsv file containing codeL,sys_name,source_yy

like these :

     codeL                      sys_name                   source_yy
/root/taw/a                 project_1                    a_such.xml
/home/wxy/bc            project_2                    b_code.xml

codeL and codelocation have the same content.

What should I do？

HiroshiSatoh · ‎11-05-2018

I do not think that CSV is necessary.
You can edit it like this.

index="fortify"| stats values(Codelocation) as codeL  by source 
| rename source as source_yy
| join codeL  [search ( index data )| extract pairdelim=";", kvdelim="="]
| table codeL sys_name source_yy

※If you use CSV

( index data )| extract pairdelim=";", kvdelim="="]
　| join codeL  [search |inputcsv three.csv|renmae codelocation as codeL]
    | table codeL sys_name source_yy]

WXY · ‎11-05-2018

Thank you very much!

How do I associate the CSV file content generated by the outputcsv command with index data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation