Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get column from csv file to insert in search result?

Julia1231
Communicator
‎09-23-2022 05:30 AM

Hi everyone,

I use dbxquery and get this result from database:

id count
123 12
456 24
478 6

 

Also I have a csv file already put  in lookup of Splunk like this:

id type
123 Machine
478 Machine
456 Food
987 Food
789 Toys

 

Please, how can I insert the column "type" from lookup to the search result above?

Basically this is what I want to achieve:

id count type
123 12 Machine
478 6 Machine
456 24 Food
987 0 Food
789 0 Toys

I tried: |lookup lookupfile.csv id OUTPUT id type but it doesn't work

Thanks,

Julia

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Julia1231
Communicator
‎09-26-2022 02:31 AM

Hi @yuanliu @richgalloway ,

Sorry for not making it clear for the "it doesn't work". I meant nothing change in the result search.

Anw, by the end I found the reason, cause I forgot that Splunk cares the case sensitive. In the csv, I put "ID", but in splunk it's "id"

Have a nice day!

View solution in original post

Reply
Solved! Jump to solution
Solution

Julia1231
Communicator
‎09-26-2022 02:31 AM

Hi @yuanliu @richgalloway ,

Sorry for not making it clear for the "it doesn't work". I meant nothing change in the result search.

Anw, by the end I found the reason, cause I forgot that Splunk cares the case sensitive. In the csv, I put "ID", but in splunk it's "id"

Have a nice day!

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2022 06:06 AM

Your lookup command should have worked, but try this one.

| lookup lookupfile.csv id OUTPUT type

If that doesn't produce the desired results then please show or explain the results you do get.  "it doesn't work" isn't very helpful.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-24-2022 02:40 PM

I agree that "doesn't work" is not informative and should be avoided in any description.

Additionally, when you "put  in lookup of Splunk," did you make a lookup definition? (In addition to upload the CSV file.)  Did you name that definition as "lookupfile.csv" or something else? (I usually name my lookups "lookupfile" instead of "lookupfile.csv".)

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...