Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my inputlookup search not pulling a field from a CSV file needed to populate a timechart?

athorat
Communicator
‎08-28-2015 03:05 PM

Requirement was to delete the contents of the index as soon as a new .csv file arrives and index the contents of the new .csv file to use in a dashboard until the next data arrives.

There is a key value pair called state, but that is not visible when I use:

| inputlookup  test.csv

But when I index the data, I see the state field and can create a timechart.

This works: 

index=input.csv |  timechart  count(state) as Count by state

The problem is when I use: 

|inputlookup test.csv| timechart  count(state) as Count by state

This does not work as its not able to find the state field, so I tried to use 

|inputlookup test.csv|fields state | timechart  count(state) as Count by state

but even this does not work.

However, when I used:

|inputlookup test.csv|fields state

it pulls the state field.

How to get the timechart working using inputlookup?

Reply

woodcock
Esteemed Legend
‎08-31-2015 12:12 PM

Based on this first-2-lines sample of test.csv:

assigned_to u_vendor_ticket state sys_created_on
Jyotsna In Progress 6/17/2015 11:50

The problem is that it isn't a CSV! There are no commas. Assuming that the file contains Tabs (TSV) so you can convert it to CSV with linux shell like this:

sed "s/\t/,/g" test.csv

In any case, you have to convert it to a CSV (fields separated by commas) before anything will work.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-28-2015 07:42 PM

Try using inputcsv instead of inputlookup like this:

| inputcsv test.csv | timechart count AS Count BY state
0 Karma
Reply

athorat
Communicator
‎08-31-2015 11:42 AM

I tried using inputcsv but the same.
If I use, " | inputcsv test.csv |fields state " , this will give the State and its values
But when I use the queries
| inputcsv test.csv | timechart count AS Count BY state
| inputcsv test.csv |fields state| timechart count AS Count BY state
it does not return any data.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-31-2015 11:58 AM

There has to be something wrong with your test.csv. What are the first 2 lines of the file?

0 Karma
Reply

athorat
Communicator
‎08-31-2015 12:04 PM

assigned_to u_vendor_ticket state sys_created_on
Jyotsna In Progress 6/17/2015 11:50

u_vendor_ticket does not have any value.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...