Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get column from csv file to insert in search result?

Julia1231
Communicator
‎09-23-2022 05:30 AM

Hi everyone,

I use dbxquery and get this result from database:

id count
123 12
456 24
478 6

 

Also I have a csv file already put  in lookup of Splunk like this:

id type
123 Machine
478 Machine
456 Food
987 Food
789 Toys

 

Please, how can I insert the column "type" from lookup to the search result above?

Basically this is what I want to achieve:

id count type
123 12 Machine
478 6 Machine
456 24 Food
987 0 Food
789 0 Toys

I tried: |lookup lookupfile.csv id OUTPUT id type but it doesn't work

Thanks,

Julia

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Julia1231
Communicator
‎09-26-2022 02:31 AM

Hi @yuanliu @richgalloway ,

Sorry for not making it clear for the "it doesn't work". I meant nothing change in the result search.

Anw, by the end I found the reason, cause I forgot that Splunk cares the case sensitive. In the csv, I put "ID", but in splunk it's "id"

Have a nice day!

View solution in original post

Reply
Solved! Jump to solution
Solution

Julia1231
Communicator
‎09-26-2022 02:31 AM

Hi @yuanliu @richgalloway ,

Sorry for not making it clear for the "it doesn't work". I meant nothing change in the result search.

Anw, by the end I found the reason, cause I forgot that Splunk cares the case sensitive. In the csv, I put "ID", but in splunk it's "id"

Have a nice day!

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2022 06:06 AM

Your lookup command should have worked, but try this one.

| lookup lookupfile.csv id OUTPUT type

If that doesn't produce the desired results then please show or explain the results you do get.  "it doesn't work" isn't very helpful.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-24-2022 02:40 PM

I agree that "doesn't work" is not informative and should be avoided in any description.

Additionally, when you "put  in lookup of Splunk," did you make a lookup definition? (In addition to upload the CSV file.)  Did you name that definition as "lookupfile.csv" or something else? (I usually name my lookups "lookupfile" instead of "lookupfile.csv".)

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...