https://community.splunk.com/t5/Splunk-Search/How-to-count-with-inputlookup/m-p/384358#M112251 <P>Hi, I have a search that I have been struggle for a few days.</P> <P>I have an index that contains two fields: <STRONG>type</STRONG> and <STRONG>Total_Count</STRONG><BR /> I have another CSV that contains similar fields: <STRONG>stype</STRONG> and <STRONG>sTotal_Count</STRONG></P> <P>Now the index may have many row with same <STRONG>type</STRONG> and difference <STRONG>Total_Count</STRONG>, same on the CSV</P> <P>Purpose of the search is: for each row in index, find out how many row in CSV that have <STRONG>stype</STRONG> is equal <STRONG>type</STRONG>, and <STRONG>sTotal_Count</STRONG> is greater than <STRONG>Total_Count</STRONG>, then append the count to the table along side with <STRONG>type</STRONG> and <STRONG>Total_Count</STRONG></P> <P>So I have test this inputlookup on CSV and it work fine</P> <PRE><CODE>| inputlookup typeA.csv where stype="A01" and sTotal_Count &gt; 30 | stats count </CODE></PRE> <P>Then I would do something like this</P> <PRE><CODE>index="ktme_v7_measurement" | join [|inputlookup typeA.csv where stype=type and sTotal_Count &gt; Total_Count | stats count as type_c] | table type Total_Count type_c </CODE></PRE> <P>But the <STRONG>type_c</STRONG> column is always 0</P> <P>Then I found this question, he had same problem with me on passing field into subsearch</P> <P>answers/85076/passing-parent-data-into-subsearch.html</P> <P>but the answer was</P> <BLOCKQUOTE> <P>an outer search cannot pass values into a subsearch</P> </BLOCKQUOTE> <P>And now I'm stuck, I'm very new to Splunk so I can not figure out how to do my search here.</P> <P>Please help me, many thanks</P> Wed, 22 May 2019 07:52:16 GMT thanhnv244 2019-05-22T07:52:16Z https://community.splunk.com/t5/Splunk-Search/How-to-count-with-inputlookup/m-p/384358#M112251 <P>Hi, I have a search that I have been struggle for a few days.</P> <P>I have an index that contains two fields: <STRONG>type</STRONG> and <STRONG>Total_Count</STRONG><BR /> I have another CSV that contains similar fields: <STRONG>stype</STRONG> and <STRONG>sTotal_Count</STRONG></P> <P>Now the index may have many row with same <STRONG>type</STRONG> and difference <STRONG>Total_Count</STRONG>, same on the CSV</P> <P>Purpose of the search is: for each row in index, find out how many row in CSV that have <STRONG>stype</STRONG> is equal <STRONG>type</STRONG>, and <STRONG>sTotal_Count</STRONG> is greater than <STRONG>Total_Count</STRONG>, then append the count to the table along side with <STRONG>type</STRONG> and <STRONG>Total_Count</STRONG></P> <P>So I have test this inputlookup on CSV and it work fine</P> <PRE><CODE>| inputlookup typeA.csv where stype="A01" and sTotal_Count &gt; 30 | stats count </CODE></PRE> <P>Then I would do something like this</P> <PRE><CODE>index="ktme_v7_measurement" | join [|inputlookup typeA.csv where stype=type and sTotal_Count &gt; Total_Count | stats count as type_c] | table type Total_Count type_c </CODE></PRE> <P>But the <STRONG>type_c</STRONG> column is always 0</P> <P>Then I found this question, he had same problem with me on passing field into subsearch</P> <P>answers/85076/passing-parent-data-into-subsearch.html</P> <P>but the answer was</P> <BLOCKQUOTE> <P>an outer search cannot pass values into a subsearch</P> </BLOCKQUOTE> <P>And now I'm stuck, I'm very new to Splunk so I can not figure out how to do my search here.</P> <P>Please help me, many thanks</P> Wed, 22 May 2019 07:52:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-with-inputlookup/m-p/384358#M112251 thanhnv244 2019-05-22T07:52:16Z https://community.splunk.com/t5/Splunk-Search/How-to-count-with-inputlookup/m-p/384359#M112252 <P>This requires getting creative with eventstats and multivalue functions.</P> <PRE><CODE>index="ktme_v7_measurement" | table type Total_Count | streamstats count as rownum | append [|inputlookup typeA.csv | rename stype as type | table stype sTotal_Count ] | eventstats list(sTotal_Count) as cvalues by type | search Total_Count=* | mvexpand cvalues | where cvalues&gt;Total_Count | stats count by type,Total_Count,rownum | table type,Total_Count,count </CODE></PRE> <P>This gets the data from the index, keeps the 2 relevant columns and gives each row a unique number. This way the search also works when there are duplicate (type,Total_Count) entries in the index. It then adds the data from the lookup, renaming the stype field to type and again keeping only the relevant columns. It then lists all sTotal_Count values found for the same type. It then drops the rows originating from the lookup. It expands the multivalue field and then filters rows where the cvalue is greater than the Total_Count and then counts the entries by type,Total_count,rownum and finally drops the rownum and cvalues columns.</P> Wed, 30 Sep 2020 00:41:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-with-inputlookup/m-p/384359#M112252 FrankVl 2020-09-30T00:41:56Z https://community.splunk.com/t5/Splunk-Search/How-to-count-with-inputlookup/m-p/384360#M112253 <P>Thank you very much, I think the result is perfect for me. The query seem overwhelming, I need to study it more.</P> Thu, 23 May 2019 00:18:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-with-inputlookup/m-p/384360#M112253 thanhnv244 2019-05-23T00:18:21Z https://community.splunk.com/t5/Splunk-Search/How-to-count-with-inputlookup/m-p/384361#M112254 <P>Feel free to drop a comment if you need further explanation. A good way to understand what it does, is just execute it step by step (possibly adding some filtering to reduce the number of rows, so it is easier to see what happens in each step).</P> Thu, 23 May 2019 08:10:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-with-inputlookup/m-p/384361#M112254 FrankVl 2019-05-23T08:10:02Z