topic Re: How to display limited results from a field in Splunk Search

How to display limited results from a field

MikeB — Wed, 20 Oct 2021 19:32:03 GMT

I have a field named failcode with numerous fail code names structured like this:

date	failcode	count
2021-10-01	g-ab	123
2021-10-01	g-bc	258
2021-10-01	g-cd	369
2021-10-01	c-ab	456
2021-10-01	c-bc	124
2021-10-01	c-cd	325
2021-10-01	d-ab	854
2021-10-01	d-bc	962
2021-10-01	d-cd	362
2021-10-01	d-dd	851
2021-10-02	g-ab	963
2021-10-02	g-bc	101
2021-10-02	g-cd	171
2021-10-02	c-ab	320
2021-10-02	c-bc	214
2021-10-02	c-cd	985
2021-10-02	d-ab	165
2021-10-02	d-bc	130
2021-10-02	d-cd	892
2021-10-02	d-dd	964
2021-10-03	g-ab	653
2021-10-03	g-bc	285
2021-10-03	g-cd	634
2021-10-03	c-ab	689
2021-10-03	c-bc	752
2021-10-03	c-cd	452
2021-10-03	d-ab	365
2021-10-03	d-bc	125
2021-10-03	d-cd	691
2021-10-03	d-dd	354

I want to only keep certain codes: g-ab, c-cd, and d-dd and not display the rest in my results. Essentially I just want to display certain results from my failcode column.

Re: How to display limited results from a field

richgalloway — Wed, 20 Oct 2021 20:04:59 GMT

To filter your results, use the search or where command.

... | search failcode IN ("g-ab", "c-cd", "d-dd")

... | where IN(failcode, "g-ab", "c-cd", "d-dd")

For better performance put the IN option from the search command above in the base search.

index=foo failcode IN ("g-ab", "c-cd", "d-dd") | ...

Re: How to display limited results from a field

MikeB — Wed, 20 Oct 2021 21:49:08 GMT

Would this method also work with a search that is using a lookup table? I tried using the below but didn't come up with any results. Would this not work with a lookup table?

| inputlookup myfile.csv | where IN(failcode, "g-ab", "c-cd", "d-dd") | ...

Re: How to display limited results from a field

nmohammed — Wed, 20 Oct 2021 23:10:15 GMT

@MikeB

inputlookup can be used to fetch results.

| inputlookup myfile.csv 
| where failcode IN ("g-ab", "c-cd", "d-dd")

Re: How to display limited results from a field

MikeB — Thu, 21 Oct 2021 16:05:34 GMT

Hmmm, I still cannot get any results to display. Is there something specific I should use after that such as using "fields" instead of "table" to display my results?

Re: How to display limited results from a field

nmohammed — Thu, 21 Oct 2021 17:01:39 GMT

are you able to see the contents of the lookup file created ? run the following command

| inputlookup myfile.csv

Re: How to display limited results from a field

MikeB — Thu, 21 Oct 2021 17:10:08 GMT

Yes, I'm able to see the entire contents of my lookup file. The file is structured as follows:

_time, failcode, source, failcount

Re: How to display limited results from a field

nmohammed — Thu, 21 Oct 2021 19:37:14 GMT

It should work, I tried it out with csv file you shared.

It can either be permissions (but you're able to see contents of lookup using inputlookup).

Check the fieldnames (case-sensitive) & also spell-check

Try another way (replace with your filename) -

| inputlookup answers-571716.csv | where failcode="g-ab" OR failcode="c-cd" OR failcode="d-dd"