AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Splunk subsearch csv12/27/2023 ![]() (That's what I had done in one extreme condition.) Then, use | eval in_list = if(isnull(dummy), "not in list", "in list"). If you are uncertain of such a condition in real data, you should add a dummy column to CSV that has a non-zero-length value in every row. In short, your CSV must contain at least one more column (other than Applicant_Email) that is fully populated. Consequentially, the absence of other field(s) indicates absence of a match. Therefore, presence of other field(s) is used to detect a match. (That's what I had done in one extreme condition.) Then, use | eval in_list = if(isnull(dummy), "not in list", "in way lookup works is that if the lookup field(s) - in my sample code, Applicant_Email AS primaryWorkEmail, match, the command will output other fields of the matching record. ![]() | eval in_list = if(isnull(Applicant_Last_Name), "not in list", "in list") | lookup trainingoct10.csv Applicant_Email AS primaryWorkEmail if in ABC.csv file field name FirewallName total count is 1000 and in second lookup file XYZ. | table First, Last, primaryWorkEmail, Training_Performed My goal is to compare two lookup files by using field name FirewallName with FirewallHostname and get matching field values count. | search Worker !="Level05" Termination_Date="" Training_Performed="" Index=EmployeeData AND sourcetype=Directory* search NOT Hire_Date IN ("","","", "") For example, if Applicant_Last_Name is always populated, If this assumption is not true, pick another field that is always populated. My sample code assumed that every trainee in that CSV file has a Training_Status (that is not zero length). | eval FreeSpace=FreeSpace." GB", TotalSpace=TotalSpace.Way lookup works is that if the lookup field(s) - in my sample code, Applicant_Email AS primaryWorkEmail, match, the command will output other fields of the matching record. | stats latest(FreeSpace) as FreeSpace latest(TotalSpace) as TotalSpace last(DESCRIPTION_MODEL) as Model last(SITE) as Site last(COUNTRY) as Country by host ] | lookup lookup_cmdb_fo_all.csv HOSTNAME as host output DESCRIPTION_MODEL SITE COUNTRY Sorry giuseeppe but it always dosent worksīut I have to integrate [ | inputlookup host.csv | stats last(Building) as "Geoloc" by host Hi I said, the best way is to use a different approach, but for test try invert the searches: put the search on index in main search and inputlookup in subsearch: `wire` | table Hostname "Free space" "Total space" Model Site Country "Geoloc" | stats last(Building) as "Geoloc" by host ] | lookup test2.csv NAME as AP_NAME OUTPUT Building ![]() | rename FreeSpace as "Free space", TotalSpace as "Total space" | eval FreeSpace=FreeSpace." GB", TotalSpace=TotalSpace." GB" | stats latest(FreeSpace) as FreeSpace latest(TotalSpace) as TotalSpace values(DESCRIPTION_MODEL) as Model values(SITE) as Site values(COUNTRY) as Country by host | lookup test.csv HOSTNAME as host output SITE DESCRIPTION_MODEL ROOM COUNTRY inputlookup table1. I tried the below SPL to build the SPL, but it is not fetching any results:. | eval TotalSpace = round(TotalSpace/1024,1) I need to search each host value from lookup table in the custom index and fetch the max (time) and then store that value against the same host in lastseen. | eval FreeSpace = round(FreeSpace/1024,1) | fields Type Name TotalSpaceKB FreeSpaceKB host What is the problem please? [| inputlookup host.csv I tried to modify the type (outer or left) but it continue to works randomly What is strange is that sometimes it works fine and five minutes ago I can retrieve the fields "Geoloc" which is build after the join
0 Comments
Read More
Leave a Reply. |