Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

Lookup with fieldname as a value instead of column-header

Muryoutaisuu
Communicator
โ€Ž02-10-2015 04:25 AM

Hi guys

I have a CSV file with following structure:

+--------+-----------+------------+
| DEV_ID | attr_name | attr_value |
+--------+-----------+------------+
| DEV_1  | field_1   | value_xx   |
| DEV_1  | field_2   | value_yy   |
| DEV_2  | field_1   | value_zz   |
and so on

I want a lookup on DEVID in which I can say:
Take the fieldname from attrname and its value from attr_value and append the fields to all events (as automatic lookups)
In a simple lookup command the fieldname is always the column-header.
Is it possible to change that behaviour and give a cell as fieldname?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Muryoutaisuu
Communicator
โ€Ž02-12-2015 05:52 AM

Found a different solution.
First I have to manipulate my csv to put it into normal shape (got me some time and this answer to come up with the right search)

| inputlookup attributes.csv | eval {attrname}=attrvalue | fields- attrname,attrvalue | stats first(*) as * by DEV_ID
This results into a "normal" and usable lookup-table which doesn't impose anymore any problems.
Hope this might help others too

View solution in original post

Reply
Solved! Jump to solution
Solution

Muryoutaisuu
Communicator
โ€Ž02-12-2015 05:52 AM

Found a different solution.
First I have to manipulate my csv to put it into normal shape (got me some time and this answer to come up with the right search)

| inputlookup attributes.csv | eval {attrname}=attrvalue | fields- attrname,attrvalue | stats first(*) as * by DEV_ID
This results into a "normal" and usable lookup-table which doesn't impose anymore any problems.
Hope this might help others too

View solution in original post

Reply
Solved! Jump to solution

thomrs
Communicator
โ€Ž02-10-2015 08:51 AM

You can do this with a transform command. Something like this:

[kvpair]
REGEX  = ([a-z]+)=([a-z]+)
FORMAT = $1::$2

Then add to props.

[<sourcetypw>] 
REPORT-syslog  =kvpair

My syntax may not be 100%, but the docs will help you there.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/transformsconf

0 Karma
Reply
Solved! Jump to solution

Muryoutaisuu
Communicator
โ€Ž02-12-2015 03:18 AM

Thank you for the answer. Sadly this is not helping me.
I'm able to create the transforms stanza:



[attributes]

REGEX = ,(/S+),(.*)$   # backslash instead of /

FORMAT = $1::$2

The props.conf is more difficult. As the data is not indexed but instead in the CSV-file, I can't make the configuration on a specific sourcetype,source or host.
I need the csv-file to append information to a search with the splunk command lookup

0 Karma
Reply