Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to match the host in host.csv with the field in test.csv?

jip31
Builder
‎07-24-2020 04:15 AM

hi

I need tio match the host there is in host.csv with the field there is in test.csv but i dont succeed

could you help me please?

 

[| inputlookup host.csv 
    | table host ]
 | lookup test.csv HOSTNAME as host output SITE STATUS 
 | stats values(SITE) as SITE, values(STATUS) as STATUS by host

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
SplunkTrust
SplunkTrust
‎07-24-2020 11:48 AM

sample:

| makeresults count=100
| eval host="host".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random() % 26)
| dedup host
| join host [ | makeresults
| eval _raw="HOSTNAME SITE STATUS
hostZ test good"
| multikv 
| rename HOSTNAME as host]
| stats values(SITE) as SITE values(STATUS) as STATUS by host

@gcusello  's query is good. you should display both csv details and the result.

> it doesn't work
What does it display? Have you check the result before stats?

No one can see your screen but you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-24-2020 04:49 AM

Hi @jip31,

did you tried something like this?

| inputlookup host.csv 
| lookup test.csv HOSTNAME as host output SITE STATUS 
| stats values(SITE) as SITE values(STATUS) as STATUS by host

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Builder
‎07-24-2020 11:31 AM

Hi

Yes but it doesnt work....

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
SplunkTrust
SplunkTrust
‎07-24-2020 11:48 AM

sample:

| makeresults count=100
| eval host="host".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random() % 26)
| dedup host
| join host [ | makeresults
| eval _raw="HOSTNAME SITE STATUS
hostZ test good"
| multikv 
| rename HOSTNAME as host]
| stats values(SITE) as SITE values(STATUS) as STATUS by host

@gcusello  's query is good. you should display both csv details and the result.

> it doesn't work
What does it display? Have you check the result before stats?

No one can see your screen but you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jip31
Builder
‎07-26-2020 09:15 PM

I have done this

 

| inputlookup host.csv 
| join host 
    [| inputlookup test.csv 
    | rename HOSTNAME as host] 
| stats last(DNS_NAME) as DNS, last(CLIENT_USER) as Client, last(STATUS) as Status, last(DESCRIPTION_MODEL) as Model, last(OS) as OS, last(OS_VERSION) as "OS Version" last(SITE) as Site last(BUILDING_CODE) as Building by host
0 Karma
Reply
Solved! Jump to solution

spitchika
Path Finder
‎07-27-2020 08:43 AM

While joining 2 queries... try to use join type as inner.

"| join type=inner"

0 Karma
Reply
Solved! Jump to solution

jip31
Builder
‎07-24-2020 08:05 PM

Hi to4kawa

Yes the query works but.....

Du to the fact that there is no subsearch with | inputlookup host.csv, the host displayed in my table dont match the host with the host there is in host.csv.....

I need to display the results only for the host in host.csv.......

Tags (1)
0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!