Splunk Search

Merge dataset from tstat with data from external *.csv file.

Engager

Hello,

I have to merge dataset with data from csv file.
CSV file is well added.

Dataset:
ACTION,
CLASS,
CURRENTPAGE,
F
WorkFlowNumber,
FULL_TIME

map.csv:
CURRENT_PAGE,
KIND

CURRENT_PAGE is common field.

I have to show data from dataset filtered by KIND?

How can I achieve this ?

Best
Dawid

0 Karma

Engager

so I will repeat that question:

Yes it was that i lookin for but my main question was: how to do it with "tstats".

Current query:

| from datamodel:"DATAMODEL"
| lookup map.csv CURRENTPAGE
| where FULL
TIME > 0 and FULL_TIME < 10000000 and FORM="specified form from dropdown menu"

but how to transform it to "tstats"?

I am lookin for solution like:
| tstats avg(FULLTIME) from datamodel="DATAMODEL"
| lookup map.csv CURRENT
PAGE
| where FULLTIME > 0 and FULLTIME < 10000000 and FORM="specified form from dropdown menu"

but without pipe before lookup (I know it's necessary)

best
Dawid

0 Karma

Ultra Champion

If you just want to add the KIND field from the lookup for lines with matching CURRENT_PAGE value, to the results of a dataset search, then that sounds like a typical job for the lookup command: http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Lookup

So in your case (you might need to replace map.csv with the name you defined for this lookup in Splunk):

...your search that returns the dataset results ...
| lookup map.csv CURRENT_PAGE OUTPUT KIND

This will add the KIND column to the search results, and you can add further search commands to filter / sort / count whatever you want 🙂

Engager

yes, I know but unfortunately this commmand doesn't associate records by common field.

Output looks like:
record from datamodel,
record from csv,
record from datamodel,
record from csv,

Instead of:
ACTION, CLASS, FWorkFlowNumber, FULLTIME, CURRENT_PAGE, KIND

0 Karma

Ultra Champion

Don't think that comment was aimed at my answer, was it? @richgalloway may have linked it wrongly?

0 Karma

Builder

Simple way to do this would be something like this:

| from datamodel:"datasetnamehere" | inputlookup append=t inputlooknamehere.csv

0 Karma

Engager

Yes it was that i lookin for but my main question was: how to do it with "tstats".

Current query:

| from datamodel:"DATAMODEL"
| lookup map.csv CURRENTPAGE
| where FULL
TIME > 0 and FULL_TIME < 10000000 and FORM="specified form from dropdown menu"

but how to transform it to "tstats"?

best
Dawid

0 Karma

Ultra Champion

Guess this comment belongs to my answer?

To use a tstats datamodel search, you just need to change that first line. I'm not much of an expert on tstats datamodel search syntax, so if you need specific help with writing the tstats query, that would have to come from someone else.

0 Karma

Ultra Champion

That doesn't add the KIND field as a column to his dataset search results, that just glues the content of the lookup to the bottom of his search results. The way I understand his question a simple | lookup command would suffice.

0 Karma

Engager

Somesoni2: yes of course... is fully readable by splunk

0 Karma

SplunkTrust
SplunkTrust

Is the CSV data added as lookup table file?

0 Karma