Append a lookup value from csv to a chart table

Topher22 · ‎10-09-2024

I am looking to append a value in a lookup csv to an existing search

index=*
|fields _time,x |chart count(_raw) by X

and I want to replace(or append) the X with a value(name) from a csv so I can table the results.

yuanliu · ‎10-10-2024

If you have lots of events, performing lookup after stats will be more efficient.

index=*
| chart count by X
| lookup my-lookup.csv Y AS X OUTPUT X_description

This will add an extra field. If you don't want to see X, just remove it with fields command.

gcusello · ‎10-09-2024

Hi @Topher22 ,

you can append or replace a value , as you would, simply using the lookup command:

if in the lookup the field to replace is Y and must be related to X from the main search and you want to use the value X_descrition from the lookup, you can use something like this:

index=*
| lookup my-lookup.csv Y AS X OUTPUT X_description
| chart count(_raw) by X_description

You can find more infos about the lookup command at https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchReference/Lookup

Ciao.

Giuseppe

Append a lookup value from csv to a chart table

lookup

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Append a lookup value from csv to a chart table

lookup

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!