Splunk Search

How to get column from csv file to insert in search result?

Julia1231
Path Finder

Hi everyone,

I use dbxquery and get this result from database:

id count
123 12
456 24
478 6

 

Also I have a csv file already put  in lookup of Splunk like this:

id type
123 Machine
478 Machine
456 Food
987 Food
789 Toys

 

Please, how can I insert the column "type" from lookup to the search result above?

Basically this is what I want to achieve:

id count type
123 12 Machine
478 6 Machine
456 24 Food
987 0 Food
789 0 Toys

I tried: |lookup lookupfile.csv id OUTPUT id type but it doesn't work

Thanks,

Julia

Labels (1)
Tags (3)
0 Karma
1 Solution

Julia1231
Path Finder

Hi @yuanliu @richgalloway ,

Sorry for not making it clear for the "it doesn't work". I meant nothing change in the result search.

Anw, by the end I found the reason, cause I forgot that Splunk cares the case sensitive. In the csv, I put "ID", but in splunk it's "id"

Have a nice day!

View solution in original post

Julia1231
Path Finder

Hi @yuanliu @richgalloway ,

Sorry for not making it clear for the "it doesn't work". I meant nothing change in the result search.

Anw, by the end I found the reason, cause I forgot that Splunk cares the case sensitive. In the csv, I put "ID", but in splunk it's "id"

Have a nice day!

richgalloway
SplunkTrust
SplunkTrust

Your lookup command should have worked, but try this one.

| lookup lookupfile.csv id OUTPUT type

If that doesn't produce the desired results then please show or explain the results you do get.  "it doesn't work" isn't very helpful.

---
If this reply helps you, Karma would be appreciated.
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I agree that "doesn't work" is not informative and should be avoided in any description.

Additionally, when you "put  in lookup of Splunk," did you make a lookup definition? (In addition to upload the CSV file.)  Did you name that definition as "lookupfile.csv" or something else? (I usually name my lookups "lookupfile" instead of "lookupfile.csv".)

0 Karma
Get Updates on the Splunk Community!

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...