Splunk Search

how to display multiple fields in one lookup command from one csv file

Bracha
Path Finder

 

This is a line of code that takes the fields from the CSV file

 

 

|lookup xxx.csv id OUTPUTNEW system time_range

 

 

 I want to add one field

 

 

|lookup xxx.csv id OUTPUTNEW system time_range count_err

 

 

When I do this nothing is added, why?
I would appreciate your help, thanks

Labels (2)
0 Karma
1 Solution

Bracha
Path Finder

Hey
Thank you for being so helpful
Glad to say I solved it
It turns out I forgot to set it as a stats....

View solution in original post

0 Karma

manjunathmeti
Champion

hi @Bracha,

Try with OUTPUT. 

If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist in the events.
If the OUTPU T clause is specified, the output lookup fields overwrite existing fields in the events.

0 Karma

Bracha
Path Finder

Hi @manjunathmeti 

thanks for reply

I tried OUTPUT and its the same behavior

0 Karma

Bracha
Path Finder

5 columns and 79 rows

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Either count_err doesn't exist in xxx.csv or no events have a value in id which matches an entry in xxx.csv with a corresponding value in count_err

0 Karma

Bracha
Path Finder

Hi @ITWhisperer 

Thenks for reply

count_err is exist in xxx.csv

I forgot to mention that when I do that it does appear

[inputlookup xxx.csv |search dag_id=**** |table system, time_range, count_err]

but I have to do that in lookup

Thank

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does count_err have a value for every id you have in your events?

0 Karma

Bracha
Path Finder

yes 

it is a values for id in my events

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How large is your csv?

0 Karma

Bracha
Path Finder

hi 

5 columns and 79 rows

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK so this size doesn't look like it should give you a problem, so it is possibly down to your actual data. Does it fail for all values of id? Are there other fields that you could try adding instead of count_err which might work? Can you break down the problem further to try and isolate the issue?

0 Karma

Bracha
Path Finder

In the CSV file I have id, system, time_range, count_err

I received a ready dashboard that monitors the DAGS from the AIRFLOW
I am interested in creating for each DAG its own alert with the same logic of the dashboard only with a small change,

in the dashboard I mark success if it returned from the AIRFLOW logs success in a time frame I gave the same field in the CSV file and ERROR if it did not return success or returned FAILED,
In the alert, I want that if I receive faild as the number of times listed in the CSV file or if it does not return success at the time_range I specified in the CSV file, that it be ERROR
The dashboard is taken from the file with the syntax of 

 

[|inputlookup xxx.csv .....]
|lookup xxx.csv dag_id OUTPUTNEW system time_range

 


And I want to add a field

 

|lookup xxx.csv dag_id OUTPUTNEW system time_range count_err

 


And I don't know why the extra field is not displayed

 
0 Karma

Bracha
Path Finder

I note that it does not alert the field that does not exist,
When I make another file that doesn't have the field, it does warn

0 Karma

Bracha
Path Finder

Hey
Thank you for being so helpful
Glad to say I solved it
It turns out I forgot to set it as a stats....

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...