Count of all query present in lookup file

pjtbasu — Tue, 29 Jun 2021 08:38:10 GMT

I've created a lookup file with 2 columns like this, basically a lookup file containing list of search queries.

Name | Value

Query1 | index=*xyz* field1="fasdasdasdadasdasd"

Query2 | index=*abc* field2 = "qweqweqweqweqwe"

Query3 | index=*pqr* field3 = "zxzxczxczczx"

I want to get the count of each query using inputlookup and map command, in such a way that it gives 0 result to and not omit the any query if count is 0, like this -

Name | Count

Query1 | 200

Query2 | 0

Query3 |4500

Could someone help please ?

Re: Count of all query present in lookup file

kamlesh_vaghela — Tue, 29 Jun 2021 11:17:47 GMT

@pjtbasu

if you pass value from main search to map command it will enclosed it with double quote( as it is consider as value) and pass it.

So if your search is like

index=_internal eventtype=splunkd-access

map will consider like

search "index=_internal eventtype=splunkd-access"

In this situation you will get 0 count always.

So I'm suggesting one trick to achieve this.

Create Execute_Search in savedsearches.conf.

[Execute_Search] search = $q$ | stats count as Count | eval Name="$name$" | table Name Count

and use this savedsearch with map command.

|inputlookup YOUR_LOOKUP | table Name,Value | map search="| savedsearch Execute_Search q=$Value$ name=$Name$"

My Sample Search :

| makeresults | eval _raw="Name,Value Query1,index=_internal eventtype=splunkd-access Query2,index=_internal eventtype=splunkd-log Query3,index=_internal sourcetype=splunkd " | multikv forceheader=1 | table Name,Value | map search="| savedsearch Execute_Search q=$Value$ name=$Name$"

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

topic Count of all query present in lookup file in Splunk Search

Count of all query present in lookup file

Re: Count of all query present in lookup file