Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I combine data from CSV with data from index

WXY
Path Finder
‎09-29-2018 01:52 AM

Now ,I have a lookup named exchange.csv , and index="exchange_data"
The data in the exchange.csv is extracted from index="exchange_data"It contains the fields extracted from the index data : 

Sys_Name         App_Name
sys1              app1
sys2              app2

such as :
alt text
there are fields in the index="exchange_data" : ID,priority;
I want to get a table contains : ID ,priority, sysname ,appname
such as :
alt text
How can I combine them?

Preview file
5 KB
Preview file
26 KB
0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎10-01-2018 12:29 PM

Hi @wxy,

Did either of the answers below solve your problem? If so, please resolve this post by approving one of them!
If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎10-01-2018 04:47 AM

If 0 fields in the csv match 0 fields in your data. Then you’ll not be able to use the lookup in a traditional manner.

Instead you could do this

| inputlookup yourloolup.csv
| append [ search index=exchange_data]

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-29-2018 05:05 AM

Try this

index=exchange_data | lookup exchange.csv Sys_Name as host OUTPUT App_Name | table _time ID, Priority Sys_Name, App_Name

You have to have a field in your data that matches a field in your lookup.
They must match the field name and the value with cAsE sensitivity.

If Sys_Name matches the host field in your exchange_data index then my search above would work fine. If you don’t have any fields in your data that match your lookup, you can’t really use the lookup.

http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Lookup

0 Karma
Reply

WXY
Path Finder
‎09-29-2018 06:45 PM

And the fields in the exchange.csv are custom and do not exist in the data. The field value is in the data

0 Karma
Reply

WXY
Path Finder
‎09-29-2018 06:33 PM

but I can only use this command :|inputcsv
Other commands cannot query my csv file

0 Karma
Reply

ddrillic
Ultra Champion
‎09-29-2018 06:44 PM

Interesting command this inputcsv command -

inputcsv

It says -

For Splunk Enterprise deployments, loads search results from the specified .csv file, which is not modified. The filename must refer to a relative path in $SPLUNK_HOME/var/run/splunk/csv (or $SPLUNK_HOME/var/run/splunk/dispatch// if dispatch = true). If the specified file does not exist and the filename does not have an extension, then the Splunk software assumes it has a filename with a .csv extension.

0 Karma
Reply

WXY
Path Finder
‎09-29-2018 06:58 PM

I know this .But I can not use it to associate exchange.csv with index = exchange_data

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...