Hi there,
I have a search that counts the appearance of an id. The first column is the id, the second is the count. I want a third column in that table, where the description for the id is listed. The description is now in a csv file. The first column in this file is the id, the second is the description. How can i compare the splunk search result and the csv file?
The result should look like this:
ID | Description | count
Thank you!!
Chris
Hi,
The lookup should be "comma seperated csv" file. In your lookup, ; is causing the issues. If you change it to following, it will work.
ID,Description
0,The log was started
1,The log was stopped
Thanks!!
Hi,
The lookup should be "comma seperated csv" file. In your lookup, ; is causing the issues. If you change it to following, it will work.
ID,Description
0,The log was started
1,The log was stopped
Thanks!!
Is this working for you?
Hi there,
everything works fine with ur solution, thanks!! 🙂
You can try using lookup command. More details @ http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Lookup
Thanks!!
Hi vganjare,
thanks for ur answer. I tried to use the lookup command. But i can not get it work 😞
this is my search:
sourcetype="DhcpSrvLog" | table msdhcp_id | lookup DhcpSrvLog_LOOKUP ID as msdhcp_id OUTPUT Description
I get an error every time: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
The csv file is uploded, and a lookup-definition is made. So, whats wrong? 😞
The column names are correctly and i get an output with:
| inputlookup DhcpSrvLog_LOOKUP
Hi,
Can you please provide the First two rows from the lookup. First row will have header names and second will have sample data.
Thanks!!
Ok, here it is:
ID;Description
0;The log was started
1;The log was stopped