Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mapping id and name from lookup csv

alanhodreamshub
Explorer
‎10-31-2021 09:51 PM

Hello experts,

My splunk search can return only a list of group IDs, but group names can only be found separately

there is a groups.csv file which maps id and name

groupid,groupname,
"a1234", "apple",
"b2345","balloons",
"c1144","cats"

How can I write the query to return group id and the corresponding group name

index=myidx type=groups 
| table _time groupid groupname

Thanks a lot!

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jwalthour
Communicator
‎11-01-2021 04:24 AM

Try this:

index=myidx type=groups
| lookup groups.csv groupid AS ‘request.groupid’ OUTPUTNEW groupname
| table _time request.groupid groupname

View solution in original post

Reply
Solved! Jump to solution

alanhodreamshub
Explorer
‎11-01-2021 12:36 AM

my bad, i should be more precise. 

index=myidx type=groups 
| table _time request.groupid groupname

this will return:

_timerequest.groupidgroupname
2021-11-01 15:33"a1234" 
2021-11-01 15:33"b2345" 
2021-11-01 15:33"c1144"
 


groups.csv: 

groupid,groupname,
"a1234", "apple",
"b2345","balloons",
"c1144","cats"

How can i map request.groupid with the groupname (associated to groupid) in groups.csv

0 Karma
Reply
Solved! Jump to solution
Solution

jwalthour
Communicator
‎11-01-2021 04:24 AM

Try this:

index=myidx type=groups
| lookup groups.csv groupid AS ‘request.groupid’ OUTPUTNEW groupname
| table _time request.groupid groupname

Reply
Solved! Jump to solution

alanhodreamshub
Explorer
‎11-01-2021 09:07 PM

Thanks!

0 Karma
Reply
Solved! Jump to solution

vhharanpositka
Path Finder
‎10-31-2021 10:20 PM

Hi @alanhodreamshub 

 

You have to include the lookup life in the search for mapping the id and name.

Try this one

Search:

index=myidx type=groups | lookup groups.csv groupid OUTPUT groupname
| table _time groupid groupname

0 Karma
Reply
Solved! Jump to solution

jwalthour
Communicator
‎10-31-2021 10:17 PM

How about:

index=myidx type=groups
| lookup groups.csv groupid OUTPUTNEW groupname
| table _time groupid groupname

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...