- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I add a name from a lookup CSV file to a t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I add a name from a lookup CSV file to a tstats command data model?
Hello Everyone,
I want in my reports display the name of the owner instead of the IP address.
My report right now shows the IP, so I created a lookup CSV file in which the IP is associated with the name. What I want is to replace the IP with the name in the lookup and have that appear in the report.
The problem here is that the search is using the tstats command and the IP comes from an accelerated data model that does not include the field name that appears in my CSV file.
How can I retrieve the name that is in my CSV file instead of the IP field that is on the data model?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about this? I think you have just messed up the event field name (log.scrip) that needs to be used for the lookup.
| tstats summariesonly=f count FROM datamodel="modela" where nodename="log.traffic" log.srcip="*" log.dstip="*" (log.suser="*" OR log.user="") (log.app="*" OR log.app="") log.vd="*" log.devname="*" log.srcintf="*" log.dstintf="*" groupby log.srcip
| lookup lookup.csv srcip as log.srcip OUTPUT name
| sort -count | head 20
You didn't provide the information about the CSV file, but I will assume (1) the file has been loaded as a lookup into Splunk and (2) the first line of the CSV file contains at least
scrip,name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please provide your current search and lookup file headers. someone might be able to help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is my current search:
| tstats summariesonly=f count FROM datamodel="modela" where nodename="log.traffic" log.srcip="*" log.dstip="*" (log.suser="*" OR log.user="") (log.app="*" OR log.app="") log.vd="*" log.devname="*" log.srcintf="*" log.dstintf="*" groupby log.srcip | lookup lookup.csv srcip as srcip OUTPUT name as name | sort -count | head 20
but the results only shows the srcip field and i want the srcip field (which is an ip address ) and the owner of that ip (the field name which is the field extracted in my lookup file)
Thanks and regards.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
