- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is my inputlookup search not pulling a field f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is my inputlookup search not pulling a field from a CSV file needed to populate a timechart?
Requirement was to delete the contents of the index as soon as a new .csv file arrives and index the contents of the new .csv file to use in a dashboard until the next data arrives.
There is a key value pair called state, but that is not visible when I use:
| inputlookup test.csv
But when I index the data, I see the state field and can create a timechart.
This works:
index=input.csv | timechart count(state) as Count by state
The problem is when I use:
|inputlookup test.csv| timechart count(state) as Count by state
This does not work as its not able to find the state field, so I tried to use
|inputlookup test.csv|fields state | timechart count(state) as Count by state
but even this does not work.
However, when I used:
|inputlookup test.csv|fields state
it pulls the state field.
How to get the timechart working using inputlookup?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on this first-2-lines sample of test.csv:
assigned_to u_vendor_ticket state sys_created_on
Jyotsna In Progress 6/17/2015 11:50
The problem is that it isn't a CSV! There are no commas. Assuming that the file contains Tabs (TSV) so you can convert it to CSV with linux shell like this:
sed "s/\t/,/g" test.csv
In any case, you have to convert it to a CSV (fields separated by commas) before anything will work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using inputcsv instead of inputlookup like this:
| inputcsv test.csv | timechart count AS Count BY state
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried using inputcsv but the same.
If I use, " | inputcsv test.csv |fields state " , this will give the State and its values
But when I use the queries
| inputcsv test.csv | timechart count AS Count BY state
| inputcsv test.csv |fields state| timechart count AS Count BY state
it does not return any data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There has to be something wrong with your test.csv. What are the first 2 lines of the file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
assigned_to u_vendor_ticket state sys_created_on
Jyotsna In Progress 6/17/2015 11:50
u_vendor_ticket does not have any value.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
