https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634263#M220324 <PRE>|tstats count where index=events by user | lookup policy.csv user</PRE> Mon, 13 Mar 2023 13:04:51 GMT danutmatei 2023-03-13T13:04:51Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634243#M220306 <P>Hi,</P> <P>I have a policy.csv file with 2 columns:</P> <P>user&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tags</P> <P>Andre&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;IT</P> <P>Kleo&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Management</P> <P>Vlad&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Finance</P> <P>&nbsp;</P> <P>And I also have an index=events with events and field "user"</P> <P>What I want is to count the number of events for each tag by user.</P> <P>for example:</P> <P>User&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Tags&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Count</P> <P>Andre&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;IT&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;55</P> <P>&nbsp;</P> <P>I've tried this, but it counts the number of rows from the csv, not from index:</P> <LI-CODE lang="markup">|inputlookup policy.csv | join type=left tags [|tstats count where index=events by user] |stats count by user tags</LI-CODE> Mon, 13 Mar 2023 13:54:34 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634243#M220306 danutmatei 2023-03-13T13:54:34Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634245#M220308 <P>Would this work for you?</P><LI-CODE lang="markup">|tstats count where index=events by user | lookup policy.csv</LI-CODE> Mon, 13 Mar 2023 11:31:18 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634245#M220308 ITWhisperer 2023-03-13T11:31:18Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634247#M220310 <P>no</P> Mon, 13 Mar 2023 11:51:19 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634247#M220310 danutmatei 2023-03-13T11:51:19Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634253#M220316 <P>In what way does it not work? What else can you tell us about your data which might help us suggest a more meaningful solution?</P> Mon, 13 Mar 2023 12:20:50 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634253#M220316 ITWhisperer 2023-03-13T12:20:50Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634254#M220317 <P><SPAN>Error in 'lookup' command: Must specify one or more lookup fields.</SPAN></P> Mon, 13 Mar 2023 12:29:35 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634254#M220317 danutmatei 2023-03-13T12:29:35Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634257#M220320 <P>Sorry, try it this way</P><LI-CODE lang="markup">|tstats count where index=events by user | lookup policy.csv user</LI-CODE> Mon, 13 Mar 2023 12:37:02 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634257#M220320 ITWhisperer 2023-03-13T12:37:02Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634258#M220321 <P>bot working, I get 0 statistics</P> Mon, 13 Mar 2023 12:43:30 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634258#M220321 danutmatei 2023-03-13T12:43:30Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634260#M220322 <P>What is your current search?</P> Mon, 13 Mar 2023 13:00:09 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634260#M220322 ITWhisperer 2023-03-13T13:00:09Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634263#M220324 <PRE>|tstats count where index=events by user | lookup policy.csv user</PRE> Mon, 13 Mar 2023 13:04:51 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634263#M220324 danutmatei 2023-03-13T13:04:51Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634266#M220326 <P>Does this return any results?</P><LI-CODE lang="markup">|tstats count where index=events by user</LI-CODE><P>If not, how about this</P><LI-CODE lang="markup">index=events | stats count by user</LI-CODE> Mon, 13 Mar 2023 13:07:33 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634266#M220326 ITWhisperer 2023-03-13T13:07:33Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634268#M220328 <P>And what should I do with this query ? since is not solving my issue and the lookup file is not included ?!</P> Mon, 13 Mar 2023 13:13:34 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634268#M220328 danutmatei 2023-03-13T13:13:34Z https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634270#M220329 <P>If you are not getting any results from the tstats or the stats, then the lookup isn't going to make any difference. You need to look at why there are no results. Perhaps the fields don't exist or are spelt differently, including differences in upper and lower case.</P> Mon, 13 Mar 2023 13:16:49 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-index-with-inputlookup/m-p/634270#M220329 ITWhisperer 2023-03-13T13:16:49Z