So I thought I merge all events in one line in a row. Reason : I have a dashboard which can just show one result and it doens't recognize the other fields, just one. If you don’t see a good way to do what you want to do, post a question on and some of us will help you out. Hi, is it possible to merge two or more event results in one The events are from the same field.
Splunk join one to many manual#
If you find yourself having to do lots of manual work with lookups files, then look for a better way. If you takeaway nothing from this article, take this: Splunk can do some crazy stuff with lookups. Make sure to change “| search *” to match the events you want to look for matches in (a “*” search is probably a little unnecessary). I’m using the join command to filter down the events to those that match the lookup: There are many other things you can do with search language and manipulation of CSV files (stripping our rows and columns, reformatting cells, e.g.) so be creative.įinally, I can use the lookup file to find events that match the given lookup file. | inputlookup email_addresses.csv append=t | rex field=email | outputlookup email_addresses_2.csv | inputlookup email_addresses.csv append=t | rex field=email yields the following: that I have the output what I want, I rewrite it out to a new lookup file (email_addresses_2.csv) using outputlookup:
This results in output that looks like: then use the rex search command to split out the local and domain portions: | inputlookup email_addresses.csv append=t To start, I’ll display the lookup file in search using the inputlookup search command (assume I already imported it via the Lookup Editor App): Let’s consider an example where I want to split out an email address field in a CSV file into separate domain and local fields (e.g. He manipulated it manually but the search interface is a great way to modify CSV files. Press save to persist it.Īnother thing the customer mentioned to me was that the he needed to cleanup and fix some things in the lookup file before he could use it. This will import the contents of the lookup file into the view. Next, click “import from CSV file” at the top right and select your file. To do so, open the Lookup Editor and click the “New” button.
If you want to import a spreadsheet from Excel, all you have to do is save it as a CSV and import it via the app.
Splunk join one to many free#
That app is free and it allows you to make new lookup files and edit them in an nice interface. Creating a new lookup file in the Lookup Editor appįirst, I highly recommend checking out the lookup editor app.
0 kommentar(er)
