Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to match the host in host.csv with the field in test.csv?

jip31
Motivator
‎07-24-2020 04:15 AM

hi

I need tio match the host there is in host.csv with the field there is in test.csv but i dont succeed

could you help me please?

 

[| inputlookup host.csv 
    | table host ]
 | lookup test.csv HOSTNAME as host output SITE STATUS 
 | stats values(SITE) as SITE, values(STATUS) as STATUS by host

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-24-2020 11:48 AM

sample:

| makeresults count=100
| eval host="host".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random() % 26)
| dedup host
| join host [ | makeresults
| eval _raw="HOSTNAME SITE STATUS
hostZ test good"
| multikv 
| rename HOSTNAME as host]
| stats values(SITE) as SITE values(STATUS) as STATUS by host

@gcusello  's query is good. you should display both csv details and the result.

> it doesn't work
What does it display? Have you check the result before stats?

No one can see your screen but you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-24-2020 04:49 AM

Hi @jip31,

did you tried something like this?

| inputlookup host.csv 
| lookup test.csv HOSTNAME as host output SITE STATUS 
| stats values(SITE) as SITE values(STATUS) as STATUS by host

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-24-2020 11:31 AM

Hi

Yes but it doesnt work....

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-24-2020 11:48 AM

sample:

| makeresults count=100
| eval host="host".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random() % 26)
| dedup host
| join host [ | makeresults
| eval _raw="HOSTNAME SITE STATUS
hostZ test good"
| multikv 
| rename HOSTNAME as host]
| stats values(SITE) as SITE values(STATUS) as STATUS by host

@gcusello  's query is good. you should display both csv details and the result.

> it doesn't work
What does it display? Have you check the result before stats?

No one can see your screen but you.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-26-2020 09:15 PM

I have done this

 

| inputlookup host.csv 
| join host 
    [| inputlookup test.csv 
    | rename HOSTNAME as host] 
| stats last(DNS_NAME) as DNS, last(CLIENT_USER) as Client, last(STATUS) as Status, last(DESCRIPTION_MODEL) as Model, last(OS) as OS, last(OS_VERSION) as "OS Version" last(SITE) as Site last(BUILDING_CODE) as Building by host
0 Karma
Reply
Solved! Jump to solution

spitchika
Path Finder
‎07-27-2020 08:43 AM

While joining 2 queries... try to use join type as inner.

"| join type=inner"

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-24-2020 08:05 PM

Hi to4kawa

Yes the query works but.....

Du to the fact that there is no subsearch with | inputlookup host.csv, the host displayed in my table dont match the host with the host there is in host.csv.....

I need to display the results only for the host in host.csv.......

Tags (1)
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top