Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How would you go about including CSV data in your search results?

joea9
Explorer
‎07-17-2015 11:10 PM

I want to know how people would go about solving this problem...

In my Splunk search results I have a field called 'Name', which holds peoples names.

I also have a CSV file on the server which holds the following columns:
Name
Age
Date of Birth
Location

I want to use this CSV file to enrich my splunk data. So that when I do a search, and Fred Bloggs appears in the results, I also want his Age, DOB and Location fields to be included in the Splunk results. I also want to be able to drill down on those Age, Date of Birth and Location fields from within the Splunk results.

Can anyone help with this? I really want to know what the best and cleanest solution is, so I can focus on doing it that way.

I have read some things about lookups and tags, and custom search scripts. But it's not clear to me how I would implement them to do what I need.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-17-2015 11:13 PM

You do this by creating a lookup (see documentation link at the bottom) and then use it like this:

<Search With Name Here> | lookup name_details | ...

Then do whatever you like after that.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-17-2015 11:13 PM

You do this by creating a lookup (see documentation link at the bottom) and then use it like this:

<Search With Name Here> | lookup name_details | ...

Then do whatever you like after that.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources

Reply
Solved! Jump to solution

joea9
Explorer
‎07-17-2015 11:37 PM

I'd tried lookups before but I didn't get very far, and I then started to look at alternatives, ie custom python scripts that pull in a CSV file etc.

Although re-reading the lookup documentation that you linked to, it is clearly the method that I should be using.

Thanks for pointing me back down the correct track. I'll give it another go and if I have issues again I'll create a new Question.

Just as an aside question, does the configuration method described in that documentation produce the same outcome as creating lookups via the GUI? I had only tried via the GUI but the transform.conf instructions seem clearer.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-17-2015 11:39 PM

Yes, identical. Anything you can do from the GUI can be done from the CLI directly acting on the *.conf files (which is where the GUI stores the stuff you enter there).

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...