Now ,I have a lookup named
exchange.csv , and
The data in the
exchange.csv is extracted from
index="exchange_data"It contains the fields extracted from the index data :
Sys_Name App_Name sys1 app1 sys2 app2
such as :
there are fields in the index="exchange_data" : ID,priority;
I want to get a table contains : ID ,priority, sysname ,appname
such as :
How can I combine them?
Did either of the answers below solve your problem? If so, please resolve this post by approving one of them!
If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!
If 0 fields in the csv match 0 fields in your data. Then you’ll not be able to use the lookup in a traditional manner.
Instead you could do this
| inputlookup yourloolup.csv
| append [ search index=exchange_data]
index=exchangedata | lookup exchange.csv SysName as host OUTPUT AppName | table _time ID, Priority SysName, App_Name
You have to have a field in your data that matches a field in your lookup.
They must match the field name and the value with cAsE sensitivity.
If SysName matches the host field in your exchangedata index then my search above would work fine. If you don’t have any fields in your data that match your lookup, you can’t really use the lookup.
Interesting command this
inputcsv command -
It says -
For Splunk Enterprise deployments, loads search results from the specified .csv file, which is not modified. The filename must refer to a relative path in $SPLUNKHOME/var/run/splunk/csv (or $SPLUNKHOME/var/run/splunk/dispatch// if dispatch = true). If the specified file does not exist and the filename does not have an extension, then the Splunk software assumes it has a filename with a .csv extension.