- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How would you go about including CSV data in your ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to know how people would go about solving this problem...
In my Splunk search results I have a field called 'Name', which holds peoples names.
I also have a CSV file on the server which holds the following columns:
Name
Age
Date of Birth
Location
I want to use this CSV file to enrich my splunk data. So that when I do a search, and Fred Bloggs appears in the results, I also want his Age, DOB and Location fields to be included in the Splunk results. I also want to be able to drill down on those Age, Date of Birth and Location fields from within the Splunk results.
Can anyone help with this? I really want to know what the best and cleanest solution is, so I can focus on doing it that way.
I have read some things about lookups and tags, and custom search scripts. But it's not clear to me how I would implement them to do what I need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You do this by creating a lookup (see documentation link at the bottom) and then use it like this:
<Search With Name Here> | lookup name_details | ...
Then do whatever you like after that.
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You do this by creating a lookup (see documentation link at the bottom) and then use it like this:
<Search With Name Here> | lookup name_details | ...
Then do whatever you like after that.
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd tried lookups before but I didn't get very far, and I then started to look at alternatives, ie custom python scripts that pull in a CSV file etc.
Although re-reading the lookup documentation that you linked to, it is clearly the method that I should be using.
Thanks for pointing me back down the correct track. I'll give it another go and if I have issues again I'll create a new Question.
Just as an aside question, does the configuration method described in that documentation produce the same outcome as creating lookups via the GUI? I had only tried via the GUI but the transform.conf instructions seem clearer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, identical. Anything you can do from the GUI can be done from the CLI directly acting on the *.conf files (which is where the GUI stores the stuff you enter there).
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
