Splunk Search

How to combine results of a search with a csv file in a table?

New Member

Hi there,

I have a search that counts the appearance of an id. The first column is the id, the second is the count. I want a third column in that table, where the description for the id is listed. The description is now in a csv file. The first column in this file is the id, the second is the description. How can i compare the splunk search result and the csv file?
The result should look like this:

ID | Description | count

Thank you!!

Chris

Tags (4)
0 Karma
1 Solution

Builder

Hi,

The lookup should be "comma seperated csv" file. In your lookup, ; is causing the issues. If you change it to following, it will work.

 ID,Description
 0,The log was started
 1,The log was stopped 

Thanks!!

View solution in original post

Builder

Hi,

The lookup should be "comma seperated csv" file. In your lookup, ; is causing the issues. If you change it to following, it will work.

 ID,Description
 0,The log was started
 1,The log was stopped 

Thanks!!

View solution in original post

Builder

Is this working for you?

0 Karma

New Member

Hi there,
everything works fine with ur solution, thanks!! 🙂

0 Karma

Builder

You can try using lookup command. More details @ http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Lookup

Thanks!!

0 Karma

New Member

Hi vganjare,

thanks for ur answer. I tried to use the lookup command. But i can not get it work 😞

this is my search:

sourcetype="DhcpSrvLog" | table msdhcp_id  | lookup DhcpSrvLog_LOOKUP ID as msdhcp_id OUTPUT Description

I get an error every time: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
The csv file is uploded, and a lookup-definition is made. So, whats wrong? 😞

0 Karma

New Member

The column names are correctly and i get an output with:

| inputlookup DhcpSrvLog_LOOKUP
0 Karma

Builder

Hi,

Can you please provide the First two rows from the lookup. First row will have header names and second will have sample data.

Thanks!!

0 Karma

New Member

Ok, here it is:

ID;Description
0;The log was started
1;The log was stopped 
0 Karma