Hello,
I have to merge dataset with data from csv file.
CSV file is well added.
Dataset:
ACTION,
CLASS,
CURRENT_PAGE,
F_WorkFlowNumber,
FULL_TIME
map.csv:
CURRENT_PAGE,
KIND
CURRENT_PAGE is common field.
I have to show data from dataset filtered by KIND?
How can I achieve this ?
Best
Dawid
so I will repeat that question:
Yes it was that i lookin for but my main question was: how to do it with "tstats".
Current query:
| from datamodel:"DATAMODEL"
| lookup map.csv CURRENT_PAGE
| where FULL_TIME > 0 and FULL_TIME < 10000000 and FORM="specified form from dropdown menu"
but how to transform it to "tstats"?
I am lookin for solution like:
| tstats avg(FULL_TIME) from datamodel="DATAMODEL"
| lookup map.csv CURRENT_PAGE
| where FULL_TIME > 0 and FULL_TIME < 10000000 and FORM="specified form from dropdown menu"
but without pipe before lookup (I know it's necessary)
best
Dawid
If you just want to add the KIND
field from the lookup for lines with matching CURRENT_PAGE
value, to the results of a dataset search, then that sounds like a typical job for the lookup
command: http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Lookup
So in your case (you might need to replace map.csv
with the name you defined for this lookup in Splunk):
...your search that returns the dataset results ...
| lookup map.csv CURRENT_PAGE OUTPUT KIND
This will add the KIND column to the search results, and you can add further search commands to filter / sort / count whatever you want 🙂
yes, I know but unfortunately this commmand doesn't associate records by common field.
Output looks like:
record from datamodel,
record from csv,
record from datamodel,
record from csv,
Instead of:
ACTION, CLASS, F_WorkFlowNumber, FULL_TIME, CURRENT_PAGE, KIND
Don't think that comment was aimed at my answer, was it? @richgalloway may have linked it wrongly?
Simple way to do this would be something like this:
| from datamodel:"dataset_name_here" | inputlookup append=t inputlook_name_here.csv
Yes it was that i lookin for but my main question was: how to do it with "tstats".
Current query:
| from datamodel:"DATAMODEL"
| lookup map.csv CURRENT_PAGE
| where FULL_TIME > 0 and FULL_TIME < 10000000 and FORM="specified form from dropdown menu"
but how to transform it to "tstats"?
best
Dawid
Guess this comment belongs to my answer?
To use a tstats datamodel search, you just need to change that first line. I'm not much of an expert on tstats datamodel search syntax, so if you need specific help with writing the tstats query, that would have to come from someone else.
That doesn't add the KIND field as a column to his dataset search results, that just glues the content of the lookup to the bottom of his search results. The way I understand his question a simple | lookup
command would suffice.
Somesoni2: yes of course... is fully readable by splunk
Is the CSV data added as lookup table file?