Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get column from csv file to insert in search result?

Julia1231
Communicator
‎09-23-2022 05:30 AM

Hi everyone,

I use dbxquery and get this result from database:

id count
123 12
456 24
478 6

 

Also I have a csv file already put  in lookup of Splunk like this:

id type
123 Machine
478 Machine
456 Food
987 Food
789 Toys

 

Please, how can I insert the column "type" from lookup to the search result above?

Basically this is what I want to achieve:

id count type
123 12 Machine
478 6 Machine
456 24 Food
987 0 Food
789 0 Toys

I tried: |lookup lookupfile.csv id OUTPUT id type but it doesn't work

Thanks,

Julia

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Julia1231
Communicator
‎09-26-2022 02:31 AM

Hi @yuanliu @richgalloway ,

Sorry for not making it clear for the "it doesn't work". I meant nothing change in the result search.

Anw, by the end I found the reason, cause I forgot that Splunk cares the case sensitive. In the csv, I put "ID", but in splunk it's "id"

Have a nice day!

View solution in original post

Reply
Solved! Jump to solution
Solution

Julia1231
Communicator
‎09-26-2022 02:31 AM

Hi @yuanliu @richgalloway ,

Sorry for not making it clear for the "it doesn't work". I meant nothing change in the result search.

Anw, by the end I found the reason, cause I forgot that Splunk cares the case sensitive. In the csv, I put "ID", but in splunk it's "id"

Have a nice day!

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2022 06:06 AM

Your lookup command should have worked, but try this one.

| lookup lookupfile.csv id OUTPUT type

If that doesn't produce the desired results then please show or explain the results you do get.  "it doesn't work" isn't very helpful.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-24-2022 02:40 PM

I agree that "doesn't work" is not informative and should be avoided in any description.

Additionally, when you "put  in lookup of Splunk," did you make a lookup definition? (In addition to upload the CSV file.)  Did you name that definition as "lookupfile.csv" or something else? (I usually name my lookups "lookupfile" instead of "lookupfile.csv".)

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...