Splunk Search

How to get column from csv file to insert in search result?

Julia1231
Communicator

Hi everyone,

I use dbxquery and get this result from database:

id count
123 12
456 24
478 6

 

Also I have a csv file already put  in lookup of Splunk like this:

id type
123 Machine
478 Machine
456 Food
987 Food
789 Toys

 

Please, how can I insert the column "type" from lookup to the search result above?

Basically this is what I want to achieve:

id count type
123 12 Machine
478 6 Machine
456 24 Food
987 0 Food
789 0 Toys

I tried: |lookup lookupfile.csv id OUTPUT id type but it doesn't work

Thanks,

Julia

Labels (1)
Tags (3)
0 Karma
1 Solution

Julia1231
Communicator

Hi @yuanliu @richgalloway ,

Sorry for not making it clear for the "it doesn't work". I meant nothing change in the result search.

Anw, by the end I found the reason, cause I forgot that Splunk cares the case sensitive. In the csv, I put "ID", but in splunk it's "id"

Have a nice day!

View solution in original post

Julia1231
Communicator

Hi @yuanliu @richgalloway ,

Sorry for not making it clear for the "it doesn't work". I meant nothing change in the result search.

Anw, by the end I found the reason, cause I forgot that Splunk cares the case sensitive. In the csv, I put "ID", but in splunk it's "id"

Have a nice day!

richgalloway
SplunkTrust
SplunkTrust

Your lookup command should have worked, but try this one.

| lookup lookupfile.csv id OUTPUT type

If that doesn't produce the desired results then please show or explain the results you do get.  "it doesn't work" isn't very helpful.

---
If this reply helps you, Karma would be appreciated.
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I agree that "doesn't work" is not informative and should be avoided in any description.

Additionally, when you "put  in lookup of Splunk," did you make a lookup definition? (In addition to upload the CSV file.)  Did you name that definition as "lookupfile.csv" or something else? (I usually name my lookups "lookupfile" instead of "lookupfile.csv".)

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...