Getting Data In

How to create a search out of an imported csv file

splunkman341
Communicator

Hi guys,

So I have just imported a csv file that has two kinds of information : Label & ID number. Now, I am trying to create a search to add into my dashboard that displays the Label and not the ID number.

The xml file's info is as shows right here:

Sorry for the long list. Can someone please help?

Thanks in advance for your help!

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

| inputcsv YourFileName | stats values(id) AS IDs

Or maybe like this

| inputcsv YourFileName | table id

Be sure to use the correct capitalization for id (your question is ambiguous on this).

View solution in original post

woodcock
Esteemed Legend

Like this:

| inputcsv YourFileName | stats values(id) AS IDs

Or maybe like this

| inputcsv YourFileName | table id

Be sure to use the correct capitalization for id (your question is ambiguous on this).

splunkman341
Communicator

Thanks for your answer. I tried doing inputcsv categoryLabels | stats values(Label) AS Label- but it would not execute. I am not interested in the ID field, but instead, the label field.

I also have tried inputcsv categoryLabels | table label also did not work.

Also, do I need to include the .csv in my file name? The whole file name is categoryLabels.csv

0 Karma

woodcock
Esteemed Legend

Sorry about swapping the fields. Yes, you need the exact filename with extension AND it has to be in the proper place as indicated here:

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/inputcsv

splunkman341
Communicator

hmm its still not displaying any information at all even without the parameters. Was I suppose to do something else after adding it into my lookups?

0 Karma

woodcock
Esteemed Legend

You are missing the leading pipe character |; it is critically important to type it exactly as shown:

| inputcsv categoryLabels.csv | table label

splunkman341
Communicator

It's still giving me the same result as the previous times. " No results found"

0 Karma

woodcock
Esteemed Legend

Did you read the dox about where the file must be? If the file is not found, you will not get a "file not found" message, you will get "No results found". I am sure the problem is that you do not have the file in the correct place so that Splunk can find it. Where is the file now?

splunkman341
Communicator

Inside Settings > lookups...

The file is not on the physical server that is running Splunk.

0 Karma

woodcock
Esteemed Legend

It has to be a physical file on the Search Head. You can probably do the same thing with KV Store but I am not up to speed on it yet.

splunkman341
Communicator

So it is not possible to search for this file unless it is on the physical server?

0 Karma

woodcock
Esteemed Legend

YES! That is why I said this at the VERY beginning:

AND it has to be in the proper place as indicated here:

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/inputcsv

woodcock
Esteemed Legend

If you are clear on all this now, please "Accept" an answer to close off the question.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...