Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Mapping id and name from lookup csv

alanhodreamshub
Explorer
‎10-31-2021 09:51 PM

Hello experts,

My splunk search can return only a list of group IDs, but group names can only be found separately

there is a groups.csv file which maps id and name

groupid,groupname,
"a1234", "apple",
"b2345","balloons",
"c1144","cats"

How can I write the query to return group id and the corresponding group name

index=myidx type=groups 
| table _time groupid groupname

Thanks a lot!

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jwalthour
Communicator
‎11-01-2021 04:24 AM

Try this:

index=myidx type=groups
| lookup groups.csv groupid AS ‘request.groupid’ OUTPUTNEW groupname
| table _time request.groupid groupname

View solution in original post

Reply
Solved! Jump to solution

alanhodreamshub
Explorer
‎11-01-2021 12:36 AM

my bad, i should be more precise. 

index=myidx type=groups 
| table _time request.groupid groupname

this will return:

_timerequest.groupidgroupname
2021-11-01 15:33"a1234" 
2021-11-01 15:33"b2345" 
2021-11-01 15:33"c1144"
 


groups.csv: 

groupid,groupname,
"a1234", "apple",
"b2345","balloons",
"c1144","cats"

How can i map request.groupid with the groupname (associated to groupid) in groups.csv

0 Karma
Reply
Solved! Jump to solution
Solution

jwalthour
Communicator
‎11-01-2021 04:24 AM

Try this:

index=myidx type=groups
| lookup groups.csv groupid AS ‘request.groupid’ OUTPUTNEW groupname
| table _time request.groupid groupname

Reply
Solved! Jump to solution

alanhodreamshub
Explorer
‎11-01-2021 09:07 PM

Thanks!

0 Karma
Reply
Solved! Jump to solution

vhharanpositka
Path Finder
‎10-31-2021 10:20 PM

Hi @alanhodreamshub 

 

You have to include the lookup life in the search for mapping the id and name.

Try this one

Search:

index=myidx type=groups | lookup groups.csv groupid OUTPUT groupname
| table _time groupid groupname

0 Karma
Reply
Solved! Jump to solution

jwalthour
Communicator
‎10-31-2021 10:17 PM

How about:

index=myidx type=groups
| lookup groups.csv groupid OUTPUTNEW groupname
| table _time groupid groupname

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...