https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674345#M230833 <P>thanks for the reply but&nbsp; I want the total count when the timeval is latest. (in this case 2023), so according to my lookup result should be 2. with BIE count is 0 and&nbsp; RAD count is 2 so 0+2=2. Hope this helps in understanding</P> Tue, 16 Jan 2024 10:04:40 GMT Siddharthnegi 2024-01-16T10:04:40Z https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674343#M230831 <P>I have this lookup</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Siddharthnegi_0-1705395632145.png" style="width: 753px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28947i9704393DA3621C02/image-dimensions/753x166?v=v2" width="753" height="166" role="button" title="Siddharthnegi_0-1705395632145.png" alt="Siddharthnegi_0-1705395632145.png" /></span></P><P>I want the total count when the timeval is latest. (in this case 2023) any solution</P> Tue, 16 Jan 2024 09:57:35 GMT https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674343#M230831 Siddharthnegi 2024-01-16T09:57:35Z https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674344#M230832 <P>If you want to just get some statistical report on data read from your lookup, use the inputlookup command.</P><P>Like</P><PRE>| inputlookup mylookup | stats count</PRE><P>will give you number of rows in your lookup. You can do any operation on fields read from the lookup that you would normally do in a "normal" event search.</P> Tue, 16 Jan 2024 09:59:19 GMT https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674344#M230832 PickleRick 2024-01-16T09:59:19Z https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674345#M230833 <P>thanks for the reply but&nbsp; I want the total count when the timeval is latest. (in this case 2023), so according to my lookup result should be 2. with BIE count is 0 and&nbsp; RAD count is 2 so 0+2=2. Hope this helps in understanding</P> Tue, 16 Jan 2024 10:04:40 GMT https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674345#M230833 Siddharthnegi 2024-01-16T10:04:40Z https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674347#M230834 <P>And what have you tried so far? And how the results weren't meeting your expectations?</P> Tue, 16 Jan 2024 10:11:01 GMT https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674347#M230834 PickleRick 2024-01-16T10:11:01Z https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674355#M230838 <P>if i try to find count i am only getting count of either BIE or RAD . But I want count of both combined .</P> Tue, 16 Jan 2024 10:52:18 GMT https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674355#M230838 Siddharthnegi 2024-01-16T10:52:18Z https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674367#M230843 <P>What is your search then?</P> Tue, 16 Jan 2024 13:37:29 GMT https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674367#M230843 PickleRick 2024-01-16T13:37:29Z https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674377#M230844 <P>| inputlookup abc.csv<BR />| eval CompanyCode="DSPL"<BR />| eventstats values(CompanyCode) as CompanyCode<BR />| eval 3Let=case(CompanyCode == "DSDE", "BIE", CompanyCode == "DSDE-AS", "PUT", CompanyCode == "DSDE-FS", "STL", CompanyCode == "CSDE", "DAR", CompanyCode == "DSPL", "RAD", CompanyCode == "DSMX", "QUE", CompanyCode == "DSUS", "SSC")<BR />| where '3Let'='place'<BR />| sort - timeval<BR />| table count timeval<BR />| head 1<BR />|appendpipe [stats count | where count==0<BR />| eval timeval=strftime(now(),"%Y") | where count==0]</P> Tue, 16 Jan 2024 14:15:16 GMT https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674377#M230844 Siddharthnegi 2024-01-16T14:15:16Z https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674383#M230845 <P>OK. We're getting somewhere <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><PRE>| inputlookup abc.csv<BR />| eval CompanyCode="DSPL"<BR />| eventstats values(CompanyCode) as CompanyCode<BR />| eval 3Let=case(CompanyCode == "DSDE", "BIE", CompanyCode == "DSDE-AS", "PUT", CompanyCode == "DSDE-FS", "STL", CompanyCode == "CSDE", "DAR", CompanyCode == "DSPL", "RAD", CompanyCode == "DSMX", "QUE", CompanyCode == "DSUS", "SSC")<BR />| where '3Let'='place'</PRE><P>OK. I assume this produces your data set and it works pretty OK.</P><P>But now if you want to have _all_ events for which a particular field has a value which is max of all possible, you have several options available (for example using subsearches) but the easiest one will be to add an additional field which tells you which value is the max year value. For this we use eventstats.</P><PRE>| eventstats max(timeval) as maxyear</PRE><P>Now you have an additional field telling you which year is the max year. So now just filter your values to only leave those where your timeval is equal to that maxyear</P><PRE>| where timeval=maxyear</PRE><P>And you should be all set <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 16 Jan 2024 14:51:01 GMT https://community.splunk.com/t5/Splunk-Search/Searching-a-lookup/m-p/674383#M230845 PickleRick 2024-01-16T14:51:01Z