Solved: How do you match extracted CSV and index value and...

dannili · ‎11-05-2018

I have index =s1 with a field called city, and an uploaded CSV file with fields like "office", "latitude" and "longitude". I wanted to find matching values where city == office and then use input lookup's latitude and longitude to visualize a map.

My search now is like this but it's not working.

index=s1 | append [| inputlookup cosco_mapping.csv | rex field=formatted_address "^(?<city>[^,]++)" | fields city, latitude, longitude ]  |  rex field=group_name "^(.*[\\\\])(?<office>.+)" | table office, city, latitude, longitude |   where office==city  | geostats latfield=latitude longfield=longitude count

Does anyone know how to solve this? Thanks!

sduff_splunk · ‎11-05-2018

In your query, you are not correlating your CSV data with the original indexed data. You may need to do a stats or a join to combine the indexed data with your CSV data.

Alternatively, have you tried using your CSV as a lookup?
index=s1 | lookup cosco_mapping.csv city AS office OUTPUT lattitude longitude

View solution in original post

sduff_splunk · ‎11-05-2018

In your query, you are not correlating your CSV data with the original indexed data. You may need to do a stats or a join to combine the indexed data with your CSV data.

Alternatively, have you tried using your CSV as a lookup?
index=s1 | lookup cosco_mapping.csv city AS office OUTPUT lattitude longitude

dannili · ‎11-06-2018

Thanks for your response.This worked!

How do you match extracted CSV and index value and use geo values to visualize a map?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)