https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500893#M139470 <P>Pur your 600 URLs in a lookup file called <CODE>uri_path.csv</CODE> with a single field named <CODE>uri_path</CODE> and then do this:</P> <PRE><CODE>index=nginx sourcetype="nginx:plus:access" |inputlookup append=true uri_path.csv | stats count(eval(sourcetype="nginx:plus:access")) AS count BY uri_path </CODE></PRE> Sun, 13 Oct 2019 08:35:08 GMT woodcock 2019-10-13T08:35:08Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500891#M139468 <P>Hello,</P> <P>In order to clean our filtering rules we'd like to check if some of our old URL's are still in use (an if yes - how many times in last 90 days). Basically we'd like to perform the query below:</P> <PRE><CODE>index=nginx sourcetype="nginx:plus:access" | search uri_path=&lt;uri_path_we_are_searching_for&gt; | stats count </CODE></PRE> <P>The problem is that there are almost 600 URL's we need to check.</P> <P>We'd like to know if there is a way to put all the URL's in a lookup and then perform a kind of <CODE>foreach</CODE> search.</P> <P>Thanks for the help.<BR /> Alex.</P> Fri, 11 Oct 2019 13:49:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500891#M139468 AlexeySh 2019-10-11T13:49:12Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500892#M139469 <P>Try this!</P> <PRE><CODE>index=nginx sourcetype="nginx:plus:access" [|inputlookup your_filename|table uri_path] | stats count ↓ index=nginx sourcetype="nginx:plus:access" (uri_path="XXX" OR uri_path="YYY" OR uri_path="XXX") </CODE></PRE> <P>Or it can be linked using the LOOKUP command.</P> Fri, 11 Oct 2019 15:04:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500892#M139469 HiroshiSatoh 2019-10-11T15:04:45Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500893#M139470 <P>Pur your 600 URLs in a lookup file called <CODE>uri_path.csv</CODE> with a single field named <CODE>uri_path</CODE> and then do this:</P> <PRE><CODE>index=nginx sourcetype="nginx:plus:access" |inputlookup append=true uri_path.csv | stats count(eval(sourcetype="nginx:plus:access")) AS count BY uri_path </CODE></PRE> Sun, 13 Oct 2019 08:35:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500893#M139470 woodcock 2019-10-13T08:35:08Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500894#M139471 <P>Hi @HiroshiSatoh </P> <P>Almost what I wanted to find. I just modified the second row in order to have a stats by each uri_path:</P> <PRE><CODE>| stats count by uri_path </CODE></PRE> <P>Thanks for the help!</P> Mon, 14 Oct 2019 09:49:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500894#M139471 AlexeySh 2019-10-14T09:49:02Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500895#M139472 <P>Hi @woodcock ,</P> <P>Thanks for the help, but unfortunately I was not able to execute the query because of an error:<BR /> <CODE>'Error in 'stats' command: You must specify a rename for the aggregation specifier on the dynamically evaluated field 'count(eval(sourcetype="nginx:plus:access"))'.</CODE></P> Mon, 14 Oct 2019 10:05:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500895#M139472 AlexeySh 2019-10-14T10:05:42Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500896#M139473 <P>I edited .my answer and fixed it. Try it now.</P> Mon, 14 Oct 2019 12:34:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-foreach-command-with-lookup-data/m-p/500896#M139473 woodcock 2019-10-14T12:34:33Z