Hi guys,
So I have just imported a csv file that has two kinds of information : Label & ID number. Now, I am trying to create a search to add into my dashboard that displays the Label and not the ID number.
The xml file's info is as shows right here:
Sorry for the long list. Can someone please help?
Thanks in advance for your help!
Like this:
| inputcsv YourFileName | stats values(id) AS IDs
Or maybe like this
| inputcsv YourFileName | table id
Be sure to use the correct capitalization for id
(your question is ambiguous on this).
Like this:
| inputcsv YourFileName | stats values(id) AS IDs
Or maybe like this
| inputcsv YourFileName | table id
Be sure to use the correct capitalization for id
(your question is ambiguous on this).
Thanks for your answer. I tried doing inputcsv categoryLabels | stats values(Label) AS Label
- but it would not execute. I am not interested in the ID field, but instead, the label field.
I also have tried inputcsv categoryLabels | table label
also did not work.
Also, do I need to include the .csv in my file name? The whole file name is categoryLabels.csv
Sorry about swapping the fields. Yes, you need the exact filename with extension AND it has to be in the proper place as indicated here:
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/inputcsv
hmm its still not displaying any information at all even without the parameters. Was I suppose to do something else after adding it into my lookups?
You are missing the leading pipe character |
; it is critically important to type it exactly as shown:
| inputcsv categoryLabels.csv | table label
It's still giving me the same result as the previous times. " No results found"
Did you read the dox about where the file must be? If the file is not found, you will not get a "file not found" message, you will get "No results found". I am sure the problem is that you do not have the file in the correct place so that Splunk can find it. Where is the file now?
Inside Settings > lookups...
The file is not on the physical server that is running Splunk.
It has to be a physical file on the Search Head. You can probably do the same thing with KV Store
but I am not up to speed on it yet.
So it is not possible to search for this file unless it is on the physical server?
YES! That is why I said this at the VERY beginning:
AND it has to be in the proper place as indicated here:
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/inputcsv
If you are clear on all this now, please "Accept" an answer to close off the question.