Solved: Re: Mapping id and name from lookup csv

alanhodreamshub · ‎10-31-2021

Hello experts,

My splunk search can return only a list of group IDs, but group names can only be found separately

there is a groups.csv file which maps id and name

groupid,groupname,
"a1234", "apple",
"b2345","balloons",
"c1144","cats"

How can I write the query to return group id and the corresponding group name

index=myidx type=groups
| table _time groupid groupname

Thanks a lot!

jwalthour · ‎11-01-2021

Try this:

index=myidx type=groups
| lookup groups.csv groupid AS ‘request.groupid’ OUTPUTNEW groupname
| table _time request.groupid groupname

View solution in original post

alanhodreamshub · ‎11-01-2021

my bad, i should be more precise.

index=myidx type=groups
| table _time request.groupid groupname

this will return:

_time	request.groupid	groupname
2021-11-01 15:33	"a1234"
2021-11-01 15:33	"b2345"
2021-11-01 15:33	"c1144"

groups.csv:

groupid,groupname,
"a1234", "apple",
"b2345","balloons",
"c1144","cats"

How can i map request.groupid with the groupname (associated to groupid) in groups.csv

jwalthour · ‎11-01-2021

Try this:

index=myidx type=groups
| lookup groups.csv groupid AS ‘request.groupid’ OUTPUTNEW groupname
| table _time request.groupid groupname

alanhodreamshub · ‎11-01-2021

Thanks!

vhharanpositka · ‎10-31-2021

Hi @alanhodreamshub

You have to include the lookup life in the search for mapping the id and name.

Try this one

Search:

index=myidx type=groups | lookup groups.csv groupid OUTPUT groupname
| table _time groupid groupname

jwalthour · ‎10-31-2021

How about:

index=myidx type=groups
| lookup groups.csv groupid OUTPUTNEW groupname
| table _time groupid groupname

Mapping id and name from lookup csv

lookup

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases