I hope I can hang on too this thread, since my problem is equal:
phone.csv
Code, Country
45, Denmark
46, Sweden
47, Norway
48, Poland
Example line list
Jun 17 10:27:34 172.30.112.1 AAA: 172.30.34.58 logged in with username 0045696744444
client_ip = 172.30.34.58
client_site = House_of_fun
eventtype = Portal_User_logged_in Information
module = AAA
sourcetype = udp:514
tag = Information
username = 0045696744444
So then I tried to modify your line and got this:
host="172.30.112.1" username="00*" | inputcsv phone.csv append=t | stats values(Code) AS Code values(Country) AS Country values(username) AS username | mvexpand Code | eval Code=substr(Code,3) | eval CountryName=if(match(username, Code), Country, "No match") | table username Code CountryName
or this:
host="172.30.112.1" username="00*" | inputcsv C:\Program Files\Splunk\etc\apps\search\lookups\phone.csv append=t | stats values(Code) AS Code values(Country) AS Country values(username) AS username | mvexpand Code | eval Code=substr(Code,3) | eval CountryName=if(match(username, Code), Country, "No match") | table username Code CountryName
Can you see what is wrong? Why it just give list with all numbers, and on first line I get under Country name "No match"?
PS, This: "eval Code=substr(Code,3)" should remove the two "00"? (starting from third character)
Also tried do add "00" to the csv file, and also with and without the "substr" code
... View more