Splunk Search

Merge dataset from tstat with data from external *.csv file.

Czakanski
Engager

Hello,

I have to merge dataset with data from csv file.
CSV file is well added.

Dataset:
ACTION,
CLASS,
CURRENT_PAGE,
F_WorkFlowNumber,
FULL_TIME

map.csv:
CURRENT_PAGE,
KIND

CURRENT_PAGE is common field.

I have to show data from dataset filtered by KIND?

How can I achieve this ?

Best
Dawid

0 Karma

Czakanski
Engager

so I will repeat that question:

Yes it was that i lookin for but my main question was: how to do it with "tstats".

Current query:

| from datamodel:"DATAMODEL"
| lookup map.csv CURRENT_PAGE
| where FULL_TIME > 0 and FULL_TIME < 10000000 and FORM="specified form from dropdown menu"

but how to transform it to "tstats"?

I am lookin for solution like:
| tstats avg(FULL_TIME) from datamodel="DATAMODEL"
| lookup map.csv CURRENT_PAGE
| where FULL_TIME > 0 and FULL_TIME < 10000000 and FORM="specified form from dropdown menu"

but without pipe before lookup (I know it's necessary)

best
Dawid

0 Karma

FrankVl
Ultra Champion

If you just want to add the KIND field from the lookup for lines with matching CURRENT_PAGE value, to the results of a dataset search, then that sounds like a typical job for the lookup command: http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Lookup

So in your case (you might need to replace map.csv with the name you defined for this lookup in Splunk):

...your search that returns the dataset results ...
| lookup map.csv CURRENT_PAGE OUTPUT KIND

This will add the KIND column to the search results, and you can add further search commands to filter / sort / count whatever you want 🙂

Czakanski
Engager

yes, I know but unfortunately this commmand doesn't associate records by common field.

Output looks like:
record from datamodel,
record from csv,
record from datamodel,
record from csv,

Instead of:
ACTION, CLASS, F_WorkFlowNumber, FULL_TIME, CURRENT_PAGE, KIND

0 Karma

FrankVl
Ultra Champion

Don't think that comment was aimed at my answer, was it? @richgalloway may have linked it wrongly?

0 Karma

Azeemering
Builder

Simple way to do this would be something like this:

| from datamodel:"dataset_name_here" | inputlookup append=t inputlook_name_here.csv

0 Karma

Czakanski
Engager

Yes it was that i lookin for but my main question was: how to do it with "tstats".

Current query:

| from datamodel:"DATAMODEL"
| lookup map.csv CURRENT_PAGE
| where FULL_TIME > 0 and FULL_TIME < 10000000 and FORM="specified form from dropdown menu"

but how to transform it to "tstats"?

best
Dawid

0 Karma

FrankVl
Ultra Champion

Guess this comment belongs to my answer?

To use a tstats datamodel search, you just need to change that first line. I'm not much of an expert on tstats datamodel search syntax, so if you need specific help with writing the tstats query, that would have to come from someone else.

0 Karma

FrankVl
Ultra Champion

That doesn't add the KIND field as a column to his dataset search results, that just glues the content of the lookup to the bottom of his search results. The way I understand his question a simple | lookup command would suffice.

0 Karma

Czakanski
Engager

Somesoni2: yes of course... is fully readable by splunk

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is the CSV data added as lookup table file?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...