- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Lookup with fieldname as a value instead of co...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys
I have a CSV file with following structure:
+--------+-----------+------------+ | DEV_ID | attr_name | attr_value | +--------+-----------+------------+ | DEV_1 | field_1 | value_xx | | DEV_1 | field_2 | value_yy | | DEV_2 | field_1 | value_zz | and so on
I want a lookup on DEV_ID in which I can say:
Take the fieldname from attr_name and its value from attr_value and append the fields to all events (as automatic lookups)
In a simple lookup command the fieldname is always the column-header.
Is it possible to change that behaviour and give a cell as fieldname?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found a different solution.
First I have to manipulate my csv to put it into normal shape (got me some time and this answer to come up with the right search)
| inputlookup attributes.csv | eval {attr_name}=attr_value | fields- attr_name,attr_value | stats first(*) as * by DEV_ID
This results into a "normal" and usable lookup-table which doesn't impose anymore any problems.
Hope this might help others too
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found a different solution.
First I have to manipulate my csv to put it into normal shape (got me some time and this answer to come up with the right search)
| inputlookup attributes.csv | eval {attr_name}=attr_value | fields- attr_name,attr_value | stats first(*) as * by DEV_ID
This results into a "normal" and usable lookup-table which doesn't impose anymore any problems.
Hope this might help others too
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do this with a transform command. Something like this:
[kvpair]
REGEX = ([a-z]+)=([a-z]+)
FORMAT = $1::$2
Then add to props.
[<sourcetypw>]
REPORT-syslog =kvpair
My syntax may not be 100%, but the docs will help you there.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/transformsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the answer. Sadly this is not helping me.
I'm able to create the transforms stanza:
[attributes]
REGEX = ,(/S+),(.*)$ # backslash instead of /
FORMAT = $1::$2
The props.conf is more difficult. As the data is not indexed but instead in the CSV-file, I can't make the configuration on a specific sourcetype,source or host.
I need the csv-file to append information to a search with the splunk command
lookup
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
