Solved: How to use a file to map results from fields to mo...

exocore123 · ‎06-07-2017

I have log files that contain compCodes (over 500 different types of them). Is there a way I can create a mapping from a txt file, so when I query for the results, say:

stats count by compCodes

Can I use the file to map those and replace the compCodes to more meaningful names? (this is intended for an input populated drop-down search)

DalJeanis · ‎06-07-2017

Yes, you can create a a lookup csv file and use the | lookup command, or a join, or a whole bunch of other ways.

Assuming the file is mylookup.csv and has fields TheCode and TheDescription ...

| stats count as TheCount by compCodes
| lookup mylookup.csv TheCode as compCodes OUTPUT TheDescription as compDescription 
| table CompCodes compDescription TheCount

...or...

| stats count as TheCount by compCodes
| rename compCodes to TheCode
| inputlookup append=t mylookup.csv 
| stats values(*) as * by TheCode
| table TheCode TheDescription TheCount

View solution in original post

DalJeanis · ‎06-07-2017

Yes, you can create a a lookup csv file and use the | lookup command, or a join, or a whole bunch of other ways.

Assuming the file is mylookup.csv and has fields TheCode and TheDescription ...

| stats count as TheCount by compCodes
| lookup mylookup.csv TheCode as compCodes OUTPUT TheDescription as compDescription 
| table CompCodes compDescription TheCount

...or...

| stats count as TheCount by compCodes
| rename compCodes to TheCode
| inputlookup append=t mylookup.csv 
| stats values(*) as * by TheCode
| table TheCode TheDescription TheCount

How to use a file to map results from fields to more meaningful names?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!