Those csv's, are they added to Splunk as lookup table file or are indexed?

Hi Somesoni2,

They are lookup tables

| inputlookup Data1.csv

Thanks for your help!

Give this a try

| inputlookup Data1.csv | table hostname ip serialNumber | eval site=replace(hostname,"^([^\-]+)\-([^\-]+)\-([^\-]+)$","\2") | lookup Data2.csv site OUTPUT site as WillDeployThisYear | eval WillDeployThisYear =if(isnotnull(WillDeployThisYear),"Yes","No") | lookup Data3.csv site OUTPUT langFieldNameHere longFieldNameHere

Assuming all 3 datasets have a field called "site", like this:

| inputlookup Data1.csv | rename Data1Site AS site
| inputlookup append=t Data2.csv | rename Data2Site AS site
| inputlookup append=t Data3.csv | rename Data3Site AS site
| stats values(*) AS * BY site

then just play around with the maps on the visualization tab.

Hi woodcock,

Thanks a lot for your time! I juste need 2 more things as asked in my question;

For Data1Site, I need to extract the site name and the type in 2 new columns using regex
For Data2Site, I need some kind of flag stating if it will be done this year please

Thanks again

Did you try it? It should provide a basis for all of your logic.

I did, it's not working because I need to do the regex to have the site name
The actual format is
Data1.csv contains hostname in lowercase: "tsk-site-type" (ie tsk-ranc-rscc01)
Data2.csv contains Site in uppercase (ie RANC)

So I need at least a rex to get a new column for the site name and the type to do the join by site

Thanks in advance

Fine, then you need to do a | rename and also | eval site=lower(site).