Solved: table question to add addtional columns/fields

omun0z · ‎02-19-2021

Hello, I'm trying to add additional columns/fields from an additional CSV table lookup at the end of the table part in a search syntax to create a Report as below, but I'm not sure if that is possible as is not working, I just get a couple of blank additional columns with some error names.

sourcetype=ib:ipam:network index=ib_ipam | eval dedup_key=view."/".address."/".cidr | dedup dedup_key | eval Network_CIDR=address."/".cidr | search view = "Ashland" | ................................................................................................ | table Timestamp, "Network View", Network, CIDR, Total, Allocated, Reserved, Assigned, Protocol, "Utilization %", Unmanaged, [|inputlookup Ashland-Networks-EAs.csv |search Network = Network_CIDR |table Network, Region_DDI]

Any help would be very appreciated.

Thanks,

Omar.

omun0z · ‎02-19-2021

Thank you so much!! It worked.

View solution in original post

omun0z · ‎02-19-2021

Hi to4kawa, I tried to add [|inputlookup Ashland-Networks-EAs.csv |search Network = Network_CIDR |table Network, Region_DDI] in the table part to add additional columns/fields based on the comun column Network_CIDR.... I think this is not the correct way, but not sure if this is possible.

Thanks,

Omar.

to4kawa · ‎02-19-2021

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Appendcols

try appendcols with subsearch

omun0z · ‎02-19-2021

Thank you so much!! It worked.

to4kawa · ‎02-19-2021

sample:

|makeresults | table[| inputlookup geo_attr_countries.csv | table iso2 iso3]

This can't work.

your sub search can't work. 　What do you want to do?

table question to add addtional columns/fields

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases