Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to reverse my current search to display names as opposed to numbers( lookup)

splunkman341
Communicator
‎07-29-2015 07:29 AM

Hi guys,

So I have a search that currently grabs the most active category, with also the most active subcategory under each category. Example the most active category 10000002, has the move active subcategory 7000006 under it. I have this part done, but what I need help no with is that opposed to displaying the category number, I want it to display the category and subcategory name respectively. I inserted two csvs files, but now I am not sure if I need to create a new sure, or I have to modify the one I currently have.

This is currently the search that I have

index=doccloud_main sourcetype=doccloud_catalina "Document workspace" NOT "draft" | rex "Category:\s*(?<Category>[^,]*),\s*subCategory:\s*(?<subCategory>.*)" | stats count by Category, subCategory | sort 30 - count
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-01-2015 05:58 PM

Assuming that your CSV file calls the category number "ID" and the category name "category" (do note that casing is important so "ID" is not the same as "id" or "Id"), this will definitely work:

index=doccloud_main sourcetype=doccloud_catalina "Document workspace" NOT "draft" | rex "Category:\s*(?<Category>[^,]*),\s*subCategory:\s*(?<subCategory>.*)" | stats count by Category, subCategory | sort 30 - count | lookup categoryInfo_lookup.csv ID AS Category OUTPUT category AS CategoryName

Also be aware that you must create a definition for the lookup to attach a Knowledge Object name to the file. You do this by going to Settings -> Lookups -> Lookup Definitions -> New. I am mentioning this because it looks to me like you are referencing the filename in your lookup command instead of a Lookup Definition (because of the .csv ending on categoryInfo_lookup.csv instead of something more conventional like categoryInfo_lookup).

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-01-2015 05:58 PM

Assuming that your CSV file calls the category number "ID" and the category name "category" (do note that casing is important so "ID" is not the same as "id" or "Id"), this will definitely work:

index=doccloud_main sourcetype=doccloud_catalina "Document workspace" NOT "draft" | rex "Category:\s*(?<Category>[^,]*),\s*subCategory:\s*(?<subCategory>.*)" | stats count by Category, subCategory | sort 30 - count | lookup categoryInfo_lookup.csv ID AS Category OUTPUT category AS CategoryName

Also be aware that you must create a definition for the lookup to attach a Knowledge Object name to the file. You do this by going to Settings -> Lookups -> Lookup Definitions -> New. I am mentioning this because it looks to me like you are referencing the filename in your lookup command instead of a Lookup Definition (because of the .csv ending on categoryInfo_lookup.csv instead of something more conventional like categoryInfo_lookup).

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-29-2015 08:24 AM

Assuming your current search is giving Category and SubCategory as code (numeric) and you've two lookup table (CSV) files in Splunk named category_lookup.csv (have fields Category and CategoryName) and subcategory_lookup.csv (have fields subCategory and subCategoryName), then try this 

index=doccloud_main sourcetype=doccloud_catalina "Document workspace" NOT "draft" | rex "Category:\s*(?<Category>[^,]*),\s*subCategory:\s*(?<subCategory>.*)" | stats count by Category, subCategory | sort 30 - count | lookup category_lookup.csv Category OUTPUT CategoryName | lookup subcategory_lookup.csv subCategory OUTPUT subCategoryName | rename CategoryName as Category subCategoryName as subCategory |table Category, subCategory count
0 Karma
Reply
Solved! Jump to solution

splunkman341
Communicator
‎07-29-2015 09:52 AM

The category number in my csv file is labeled as "ID" and the actual name of the category is labeled as "category". I am attempting only category right now, and it is not working. This is what I have tried:

index=doccloud_main sourcetype=doccloud_catalina "Document workspace" NOT "draft" | rex "Category:\s*(?<Category>[^,]*),\s*subCategory:\s*(?<subCategory>.*)" | stats count by Category, subCategory | sort 30 - count | lookup categoryInfo_lookup.csv id OUTPUT category|  rename id as category
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...