Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk DB Connect 1: How can I dynamically search from the lookup CSV file with dbquery?

prakharkulshres
New Member
‎07-28-2015 03:27 PM

I have a CSV file with three columns, say Name, Address, Lastname. I get Name from the dbquery, so I want to fetch all the rows present in the csv file that matches the name column.
I was trying something like below:

| dbquery schemaname 'select name from xyz' | lookup xyz.csv name

but it didn't work. Can someone share their views on it?

0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎07-28-2015 06:26 PM

Have you properly added the lookup to Splunk, uploading the file, and then creating the lookup? As per http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Addfieldsfromexternaldatasources Your lookup usually shouldn't reference the actual CSV file, but the lookup that you've created.

If you're still stuck, try breaking the statement up into smaller searches and confirm that you are getting the results at each stage (i.e., run just the dbquery and ensure you get the name field being produced - this will remove the dbconnect as a source of your problem)

0 Karma
Reply

prakharkulshres
New Member
‎07-29-2015 07:44 AM

Thanks for your reply, I have created the lookup properly and the dbquery is returning the name. When I try to use the name column from the dbquery to search in the lookup it doesn't return correct value. I tried something like below:

| dbquery schemaname 'select name from xyz' | join type=inner name [ inputlookup xyz]

This returns me name column and the first row in the lookup and not the matching row.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...