Why is my inputlookup search not pulling a field f...

athorat · ‎08-28-2015

Requirement was to delete the contents of the index as soon as a new .csv file arrives and index the contents of the new .csv file to use in a dashboard until the next data arrives.

There is a key value pair called state, but that is not visible when I use:

| inputlookup  test.csv

But when I index the data, I see the state field and can create a timechart.

This works:

index=input.csv |  timechart  count(state) as Count by state

The problem is when I use:

|inputlookup test.csv| timechart  count(state) as Count by state

This does not work as its not able to find the state field, so I tried to use

|inputlookup test.csv|fields state | timechart  count(state) as Count by state

but even this does not work.

However, when I used:

|inputlookup test.csv|fields state

it pulls the state field.

How to get the timechart working using inputlookup?

woodcock · ‎08-31-2015

Based on this first-2-lines sample of test.csv:

assigned_to u_vendor_ticket state sys_created_on
Jyotsna In Progress 6/17/2015 11:50

The problem is that it isn't a CSV! There are no commas. Assuming that the file contains Tabs (TSV) so you can convert it to CSV with linux shell like this:

sed "s/\t/,/g" test.csv

In any case, you have to convert it to a CSV (fields separated by commas) before anything will work.

woodcock · ‎08-28-2015

Try using inputcsv instead of inputlookup like this:

| inputcsv test.csv | timechart count AS Count BY state

athorat · ‎08-31-2015

woodcock · ‎08-31-2015

There has to be something wrong with your test.csv. What are the first 2 lines of the file?

athorat · ‎08-31-2015

assigned_to u_vendor_ticket state sys_created_on
Jyotsna In Progress 6/17/2015 11:50

u_vendor_ticket does not have any value.

Why is my inputlookup search not pulling a field from a CSV file needed to populate a timechart?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk