Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup with fieldname as a value instead of column...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys
I have a CSV file with following structure:
+--------+-----------+------------+ | DEV_ID | attr_name | attr_value | +--------+-----------+------------+ | DEV_1 | field_1 | value_xx | | DEV_1 | field_2 | value_yy | | DEV_2 | field_1 | value_zz | and so on
I want a lookup on DEV_ID in which I can say:
Take the fieldname from attr_name and its value from attr_value and append the fields to all events (as automatic lookups)
In a simple lookup command the fieldname is always the column-header.
Is it possible to change that behaviour and give a cell as fieldname?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found a different solution.
First I have to manipulate my csv to put it into normal shape (got me some time and this answer to come up with the right search)
| inputlookup attributes.csv | eval {attr_name}=attr_value | fields- attr_name,attr_value | stats first(*) as * by DEV_ID
This results into a "normal" and usable lookup-table which doesn't impose anymore any problems.
Hope this might help others too
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found a different solution.
First I have to manipulate my csv to put it into normal shape (got me some time and this answer to come up with the right search)
| inputlookup attributes.csv | eval {attr_name}=attr_value | fields- attr_name,attr_value | stats first(*) as * by DEV_ID
This results into a "normal" and usable lookup-table which doesn't impose anymore any problems.
Hope this might help others too
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do this with a transform command. Something like this:
[kvpair]
REGEX = ([a-z]+)=([a-z]+)
FORMAT = $1::$2
Then add to props.
[<sourcetypw>]
REPORT-syslog =kvpair
My syntax may not be 100%, but the docs will help you there.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/transformsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the answer. Sadly this is not helping me.
I'm able to create the transforms stanza:
[attributes]
REGEX = ,(/S+),(.*)$ # backslash instead of /
FORMAT = $1::$2
The props.conf is more difficult. As the data is not indexed but instead in the CSV-file, I can't make the configuration on a specific sourcetype,source or host.
I need the csv-file to append information to a search with the splunk command
lookup
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
