Splunk Search

How would you go about including CSV data in your search results?

joea9
Explorer

I want to know how people would go about solving this problem...

In my Splunk search results I have a field called 'Name', which holds peoples names.

I also have a CSV file on the server which holds the following columns:
Name
Age
Date of Birth
Location

I want to use this CSV file to enrich my splunk data. So that when I do a search, and Fred Bloggs appears in the results, I also want his Age, DOB and Location fields to be included in the Splunk results. I also want to be able to drill down on those Age, Date of Birth and Location fields from within the Splunk results.

Can anyone help with this? I really want to know what the best and cleanest solution is, so I can focus on doing it that way.

I have read some things about lookups and tags, and custom search scripts. But it's not clear to me how I would implement them to do what I need.

0 Karma
1 Solution

woodcock
Esteemed Legend

You do this by creating a lookup (see documentation link at the bottom) and then use it like this:

<Search With Name Here> | lookup name_details | ...

Then do whatever you like after that.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources

View solution in original post

woodcock
Esteemed Legend

You do this by creating a lookup (see documentation link at the bottom) and then use it like this:

<Search With Name Here> | lookup name_details | ...

Then do whatever you like after that.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources

joea9
Explorer

I'd tried lookups before but I didn't get very far, and I then started to look at alternatives, ie custom python scripts that pull in a CSV file etc.

Although re-reading the lookup documentation that you linked to, it is clearly the method that I should be using.

Thanks for pointing me back down the correct track. I'll give it another go and if I have issues again I'll create a new Question.

Just as an aside question, does the configuration method described in that documentation produce the same outcome as creating lookups via the GUI? I had only tried via the GUI but the transform.conf instructions seem clearer.

0 Karma

woodcock
Esteemed Legend

Yes, identical. Anything you can do from the GUI can be done from the CLI directly acting on the *.conf files (which is where the GUI stores the stuff you enter there).

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...