Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to match a fieldA from an index to fieldA in a CSV lookup file and output the corresponding fieldB?

abbam
Explorer
‎06-09-2016 01:19 AM

Hi guys,

Wondering if anyone can help me and if this can be done.

I have a CSV file with two columns.

CSV file looks like this:

domain_name           Reference
abc.com               ABC
bbc.co.uk             BBC

In my index, I have a field called domain_name in which I can run the following search on:

index=data [|inputlookup test.csv | fields domain_name]

The above search works, however, I want to also reference that domain_name to the Reference column in the CSV file. This is where the problem starts because there isn't a Reference field in the index=data, so the search fails to find any results.

My end goal is to get a number of References against the domain_names so it looks like this:

Reference      count
ABC              150
BBC               25

Can this be done at all?

0 Karma
Reply

cb_usps
Explorer
‎06-13-2016 11:45 AM

If you setup your lookup table to do automatic lookups, then your Reference field will be a field in each event which has a domain_name.
At that point, you can then write a search similar to this:

 _your_search_here_ | stats count(domain_name) as count by Reference
0 Karma
Reply

woodcock
Esteemed Legend
‎06-13-2016 09:17 AM

The "right" way to do it is to setup the CSV as a lookup table. But let's look at doing it directly without doing that. Assume your file is called test.csv and try this:

index=data | eval dataset="nonCSV"
| appendpipe  [|inputlookup test.csv | eval dataset="CSV" ]
| stats values(*) AS * BY domain_name
| stast count BY Reference
0 Karma
Reply

sundareshr
Legend
‎06-09-2016 04:25 AM

Try this

index=data | lookup test.csv domain_name OUTPUT Reference | where isnotnull(Reference) | stats count by Reference
0 Karma
Reply

abbam
Explorer
‎06-09-2016 05:18 AM

afraid nothing, doesnt return any events.

0 Karma
Reply

ryanoconnor
Builder
‎06-09-2016 03:40 AM

Is there a domain_name field inside of index=data? If so you might want to use the lookup command (http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Lookup) instead of inputlookup. That way you can lookup the domain_name field of each event and return the Reference and then apply some stats commands on that.

0 Karma
Reply

abbam
Explorer
‎06-09-2016 03:53 AM

Yes domain_name exists, Reference doesn't... however, I tried to butcher something together and it didn't work.

how would something like this be written?

0 Karma
Reply

ryanoconnor
Builder
‎06-09-2016 09:28 AM

You've uploaded the Lookup Table, have you also defined a Lookup Definition? You'll need to do that to use it in a search.

http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

The following is basic but should work provided you have the correct permissions to use the lookup.

index=data | lookup test.csv domain_name OUTPUT Reference | table domain_name Reference | stats count by Reference

0 Karma
Reply

ryanoconnor
Builder
‎06-13-2016 10:23 AM

@abbam were you able to verify if the lookup definition is configured?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...