Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- is it possible to use json file with csv lookup fi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is it possible to use json file with csv lookup file?
anooshac
Communicator
02-27-2020
01:35 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
02-27-2020
01:40 AM
No, not directly. Lookup FILES only work with CSV files.
You may be able to implement an external lookup with a script which parses your JSON data and returns matched values, but you would need to build this yourself.
Alternativly, you could write the JSON data into the KV store and use a KV lookup instead.
There are a couple of approaches for this, but if the json file is updated frequently, you may just be better finding a repeatable way to convert the json data to CSV.
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anooshac
Communicator
02-27-2020
03:05 AM
Thank you @nickhillscpl , i am yet to explore about these things. Can you please suggest some links to understand these things in a better way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
02-27-2020
03:16 AM
CSV Lookups: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourev...
External Lookups: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/DefineanexternallookupinSplunkWeb
KV Lookups: https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/DefineaKVStorelookupinSplunkWeb
Good luck!
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
02-27-2020
03:09 AM
|makeresults
| eval _raw="your_json"
| spath
| rename JSON_NESTED_FIELD_NAME AS Clean_Name
| outputcsv your.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
02-27-2020
03:15 AM
@to4kawa read my mind 🙂
This would also work if you are already indexing the json file (or can).
You could even use this approach to populate a kv lookup using |outputlookup
If my comment helps, please give it a thumbs up!
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
