Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to correlate 3 different CSV files with different column names?

krishnacasso
Path Finder
‎12-19-2016 12:32 PM

I have 3 different source CSV (file1, file2, file3) files.
In file 1, I have field(place) with value NJ and
In file 2, I have a field(city) with value NJ.
NJ is unique value in file 1 and file 2. I need to merge field names to City.
In file 2, I have a field(country) with value USA and
In file 3, I have a field(origin) with value USA.
USA is unique value in file 2 and file 3. I need to merge field names to Country.

I am trying to correlate the fields and join them and create a single table.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-19-2016 12:57 PM

Try something like this

source=csv1 OR source=csv2 OR source=csv3
| eval city=coalesce(city,place) | eval country=coalesce(country, origin)
| eventstats values(country) as country by city 
| eventstats values(city) as city by country
| stats values(field1) as field1 values(field2) as field2... by city country

View solution in original post

Reply
Solved! Jump to solution

surakshita
New Member
‎06-23-2017 11:47 AM

I also same type question. I have 3 excel files generating from the servers as reports,two files are in same format and one file has different columns. I wanted to consolidate 3 files and need to analyze for start time and start date for the job.Can anyone give us the inputs on this?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-19-2016 01:02 PM

Try this.

| inputlookup file1.csv | lookup file2.csv city AS place | lookup file3.csv origin AS country | eval City=coalesce(place, city), Country=coalesce(country,origin) | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

krishnacasso
Path Finder
‎12-22-2016 07:37 AM

Can we add a condition to the search like to display the chart only for the Manhattan city and USA

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-19-2016 12:57 PM

Try something like this

source=csv1 OR source=csv2 OR source=csv3
| eval city=coalesce(city,place) | eval country=coalesce(country, origin)
| eventstats values(country) as country by city 
| eventstats values(city) as city by country
| stats values(field1) as field1 values(field2) as field2... by city country
Reply
Get Updates on the Splunk Community!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...