Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I add output of a search as a new column t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I add output of a search as a new column to existing csv ?
batuhankutluca
Explorer
04-01-2019
06:04 AM
Hello,
I have an existing .csv named "test.csv". In this csv file, there are fields named srcip and time. Also I have a search getting hostnames for ip's in that csv. Lookup is OK and my search is totally getting the right results. The thing I want to do is updating test.csv with the output of my results. For example I have 1.1.1.1 IP in test.csv. And my search gets "test-pc" hostname for that IP. After my search is completed I want :
- Create a new column in csv as "Host Name"
- Match IP's between csv and my search
- Add hostname for matching IP's to existing test.csv
I tried outputlookup command with append=true but It didn't work.
Hope you help me,
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-01-2019
01:02 PM
Like this:
Your Search for hostname here
| rename whatever_field_has_IP AS IP
| appendpipe [|inputlookup test.csv | rename whatever_field_has_IP AS IP]
| stats values(*) AS * BY IP
| sort 0 IP(IP)
| outputlookup test.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
batuhankutluca
Explorer
04-01-2019
10:41 PM
Thanks for your help but this one is overriding the results of an existing csv. I just want to do that steps:
- Create a new column in csv as "Host Name"
- Match IP's between csv and my search
- Add hostname for matching IP's to existing test.csv
I added my searches above as a comment if you want to check.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-01-2019
10:49 PM
My answer does exactly what you are describing. If you are not writing answer back to test.csv then delete the | outputlookup test.csv line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
batuhankutluca
Explorer
04-01-2019
11:50 PM
I think I have figured it out somehow but still don't know why is your search doesn't work as I wanted. Maybe If I upload some screenshots, It will be more clear for you.
This is my first search with the output csv.
--
`sourcetype=firewall action=pass action=proxy
| bin _time span=5m
| dedup srcip
| eval Time = strftime(_time,"%Y-%m-%d %H:%M:%S")
| table Time, srcip, srcport, dstip
| rename srcip AS IP
| outputlookup vpn.csv`
This is my 2nd search with the output csv.
--
`index=server sourcetype=dhcp
| lookup vpn.csv srcip AS dest_ip
| search Time=*
| eval event_time=strptime(Time,"%Y-%m-%d %H:%M:%S")
| where _time < event_time
| stats latest(dest_nt_host) as dest_nt_host max(_time) as _time by dest_ip
| sort - _time
| rename dest_ip AS IP
| outputlookup vpn2.csv`
And the result is like that
--
`| inputlookup vpn.csv
| join IP
[inputlookup vpn2.csv]
| outputlookup vpn3.csv`
Now it works as I wanted. That's what I was trying to explain. But I'm still open for advices.
Images don't show up somehow.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
batuhankutluca
Explorer
04-01-2019
10:54 PM
I want to write results back to csv just for the matching ip's as a new column. Your query works like overriding all existing columns and rows and write back the new search's results to test.csv. That's why I said like that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-01-2019
12:13 PM
Whats' the full search that you've tried? Also, when you said it didn't work, what error or wrong result you were getting?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
batuhankutluca
Explorer
04-01-2019
10:24 PM
sourcetype=firewall action=pass action=proxy
| bin _time span=5m
| dedup srcip
| eval Time = strftime(_time,"%Y-%m-%d %H:%M:%S")
| table Time, srcip, srcport, dstip, dstport, app
| outputlookup vpn.csv
This is my first search to create a lookup.
And my 2nd search is
sourcetype=dhcp
| lookup vpn.csv srcip AS dest_ip
| search Time=*
| eval event_time=strptime(Time,"%Y-%m-%d %H:%M:%S")
| where _time < event_time
| stats latest(dest_nt_host) as dest_nt_host by dest_ip
| outputlookup append=true vpn.csv
Actually I'm not getting any errors, just my lookup is not updating. That's the problem.
Get Updates on the Splunk Community!
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
