Splunk Search

Why is my inputlookup search not pulling a field from a CSV file needed to populate a timechart?

athorat
Communicator

Requirement was to delete the contents of the index as soon as a new .csv file arrives and index the contents of the new .csv file to use in a dashboard until the next data arrives.

There is a key value pair called state, but that is not visible when I use:

| inputlookup  test.csv

But when I index the data, I see the state field and can create a timechart.

This works:

index=input.csv |  timechart  count(state) as Count by state

The problem is when I use:

|inputlookup test.csv| timechart  count(state) as Count by state

This does not work as its not able to find the state field, so I tried to use

|inputlookup test.csv|fields state | timechart  count(state) as Count by state 

but even this does not work.

However, when I used:

|inputlookup test.csv|fields state 

it pulls the state field.

How to get the timechart working using inputlookup?

woodcock
Esteemed Legend

Based on this first-2-lines sample of test.csv:

assigned_to u_vendor_ticket state sys_created_on
Jyotsna In Progress 6/17/2015 11:50

The problem is that it isn't a CSV! There are no commas. Assuming that the file contains Tabs (TSV) so you can convert it to CSV with linux shell like this:

sed "s/\t/,/g" test.csv

In any case, you have to convert it to a CSV (fields separated by commas) before anything will work.

0 Karma

woodcock
Esteemed Legend

Try using inputcsv instead of inputlookup like this:

| inputcsv test.csv | timechart count AS Count BY state
0 Karma

athorat
Communicator

I tried using inputcsv but the same.
If I use, " | inputcsv test.csv |fields state " , this will give the State and its values
But when I use the queries
| inputcsv test.csv | timechart count AS Count BY state
| inputcsv test.csv |fields state| timechart count AS Count BY state
it does not return any data.

0 Karma

woodcock
Esteemed Legend

There has to be something wrong with your test.csv. What are the first 2 lines of the file?

0 Karma

athorat
Communicator

assigned_to u_vendor_ticket state sys_created_on
Jyotsna In Progress 6/17/2015 11:50

u_vendor_ticket does not have any value.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...