Splunk Search

How to combine results of a search with a csv file in a table?

ChrisGermer
New Member

Hi there,

I have a search that counts the appearance of an id. The first column is the id, the second is the count. I want a third column in that table, where the description for the id is listed. The description is now in a csv file. The first column in this file is the id, the second is the description. How can i compare the splunk search result and the csv file?
The result should look like this:

ID | Description | count

Thank you!!

Chris

Tags (4)
0 Karma
1 Solution

vganjare
Builder

Hi,

The lookup should be "comma seperated csv" file. In your lookup, ; is causing the issues. If you change it to following, it will work.

 ID,Description
 0,The log was started
 1,The log was stopped 

Thanks!!

View solution in original post

vganjare
Builder

Hi,

The lookup should be "comma seperated csv" file. In your lookup, ; is causing the issues. If you change it to following, it will work.

 ID,Description
 0,The log was started
 1,The log was stopped 

Thanks!!

vganjare
Builder

Is this working for you?

0 Karma

ChrisGermer
New Member

Hi there,
everything works fine with ur solution, thanks!! 🙂

0 Karma

vganjare
Builder

You can try using lookup command. More details @ http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Lookup

Thanks!!

0 Karma

ChrisGermer
New Member

Hi vganjare,

thanks for ur answer. I tried to use the lookup command. But i can not get it work 😞

this is my search:

sourcetype="DhcpSrvLog" | table msdhcp_id  | lookup DhcpSrvLog_LOOKUP ID as msdhcp_id OUTPUT Description

I get an error every time: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
The csv file is uploded, and a lookup-definition is made. So, whats wrong? 😞

0 Karma

ChrisGermer
New Member

The column names are correctly and i get an output with:

| inputlookup DhcpSrvLog_LOOKUP
0 Karma

vganjare
Builder

Hi,

Can you please provide the First two rows from the lookup. First row will have header names and second will have sample data.

Thanks!!

0 Karma

ChrisGermer
New Member

Ok, here it is:

ID;Description
0;The log was started
1;The log was stopped 
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...