Splunk Search

adding data from lookup to search

smudge797
Path Finder

I have a spreadsheet.csv with the following info:
date, SID
16/03/2016, x555xx5x5
...

I want to add the SID value as Account_Name to search:

index=blah source=blah.log Account_Name= |stats count

Whats the most efficient method and example in distributed environment?

Thanks in advance!

0 Karma

somesoni2
Revered Legend

Try something like this (based on where you've your csv file, choose between inputcsv( if in $SPLUNK_HOME/var/run/splunk) or inputlookup (if it's added as lookup table file $SPLUNK_HOME/etc/apps/AppName/lookups)

index=blah source=*blah.log [inputcsv spreadsheet.csv | stats count by SID | table SID | rename SID as Account_Name] |stats count

smudge797
Path Finder

cool thanks!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...