Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to match the host in host.csv with the field in test.csv?

jip31
Motivator
‎07-24-2020 04:15 AM

hi

I need tio match the host there is in host.csv with the field there is in test.csv but i dont succeed

could you help me please?

 

[| inputlookup host.csv 
    | table host ]
 | lookup test.csv HOSTNAME as host output SITE STATUS 
 | stats values(SITE) as SITE, values(STATUS) as STATUS by host

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-24-2020 11:48 AM

sample:

| makeresults count=100
| eval host="host".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random() % 26)
| dedup host
| join host [ | makeresults
| eval _raw="HOSTNAME SITE STATUS
hostZ test good"
| multikv 
| rename HOSTNAME as host]
| stats values(SITE) as SITE values(STATUS) as STATUS by host

@gcusello  's query is good. you should display both csv details and the result.

> it doesn't work
What does it display? Have you check the result before stats?

No one can see your screen but you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-24-2020 04:49 AM

Hi @jip31,

did you tried something like this?

| inputlookup host.csv 
| lookup test.csv HOSTNAME as host output SITE STATUS 
| stats values(SITE) as SITE values(STATUS) as STATUS by host

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-24-2020 11:31 AM

Hi

Yes but it doesnt work....

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-24-2020 11:48 AM

sample:

| makeresults count=100
| eval host="host".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random() % 26)
| dedup host
| join host [ | makeresults
| eval _raw="HOSTNAME SITE STATUS
hostZ test good"
| multikv 
| rename HOSTNAME as host]
| stats values(SITE) as SITE values(STATUS) as STATUS by host

@gcusello  's query is good. you should display both csv details and the result.

> it doesn't work
What does it display? Have you check the result before stats?

No one can see your screen but you.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-26-2020 09:15 PM

I have done this

 

| inputlookup host.csv 
| join host 
    [| inputlookup test.csv 
    | rename HOSTNAME as host] 
| stats last(DNS_NAME) as DNS, last(CLIENT_USER) as Client, last(STATUS) as Status, last(DESCRIPTION_MODEL) as Model, last(OS) as OS, last(OS_VERSION) as "OS Version" last(SITE) as Site last(BUILDING_CODE) as Building by host
0 Karma
Reply
Solved! Jump to solution

spitchika
Path Finder
‎07-27-2020 08:43 AM

While joining 2 queries... try to use join type as inner.

"| join type=inner"

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-24-2020 08:05 PM

Hi to4kawa

Yes the query works but.....

Du to the fact that there is no subsearch with | inputlookup host.csv, the host displayed in my table dont match the host with the host there is in host.csv.....

I need to display the results only for the host in host.csv.......

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...