Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cross referencing to fill in missing details

rattyryan
Explorer
‎02-06-2014 08:33 AM

Hi,

I have two .csv files. One contains an IP address with associated output data, a second contains the IP address along with the location and building. How do I go about using both as a source and have a single output to contain the IP address with building, location and associated output data?

I have looked into the use of lookups. Would this work? If I were to create a lookup for csv1 and manually put in empty field for building and location before uploading. And then source the second csv with lookup for csv1 and use a transaction by IP address? Would that work you think?

Tags (2)
0 Karma
Reply

ArthurGautesen
Path Finder
‎04-26-2017 04:57 PM

You could have any details from csv1 displayed, but this method (providing that IP is a valid field, AND IP is a valid field in csv2) give you access to both lookups of data using IP as the reference. Now, you also have to make certain that IP is a unique value in both csv1 and csv2. 

|inputlookup csv1 
| lookup csv2 IP

If IP is not the name of the ip address field in csv1 but is in csv2, then you need to rename it between the two like this

|inputlookup csv1 | rename ipaddress AS IP
| lookup csv2 IP

Hope this helps

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...