Splunk Search

How do I merge columns from a CSV with an existing input lookup file?

syedsalam
New Member

Hi Team,

I have an input lookup file called windows.CSV and have another .CSV file which contains host, sourcetype, and source details.

How can we map these columns into the existing lookup file or merge two files into a single file?
Is it possible? Please suggest me.

Host, Sourcetype and Source

Regards,
Syed

0 Karma

sundareshr
Legend

Try this

| inputlookup new_windows_devices.csv | append [|inputlookup Windows.csv] | stats count by Hostname SourceType | fields - count
0 Karma

sjohnson_splunk
Splunk Employee
Splunk Employee

What is the common key field between the two files?

You could either do a lookup or a join command but you need a common key.

0 Karma

sjohnson_splunk
Splunk Employee
Splunk Employee
 | inputlookup windows.csv | lookup other.csv host | outputlookup merged.csv

This assumes that both are lookups (you didn't say that about the other.csv) if it's not then assuming it in var/run/splunk:

| inputcsv other.csv | lookup windows.csv | outputlookup merged.csv
0 Karma

syedsalam
New Member

Thanks John.

0 Karma

syedsalam
New Member

Hi,

Please suggest me, how to marge two files in to single file. Common key for both file is Hostname and SourceType.

i should get only column of Hostname and SourceType not any other columns.
The file name is available below.

| inputlookup new_windows_devices.csv | inputlookup Windows.csv

0 Karma

syedsalam
New Member

It's not working John.

0 Karma

syedsalam
New Member

Host field is common key in both file.

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi syedsalam,

I believe you can accomplish this by utilizing the append=t functionality of inputlookup. i.e.

| inputlookup windows.csv | inputlookup other.csv append=t

Please let me know if this answers your question!

0 Karma

syedsalam
New Member

Thanks Muebel.

0 Karma

syedsalam
New Member

Hi Muebel,

My query is I have one look up file in Splunk for asset and another CSV file in My system. i want to Join both file in to single file.

is there any way to marge?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...