https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92212#M23784 <P>Hi ,</P> <P>I am new to splunk, I want to seach multiple keywords from a list ( .txt ) , I would like to know how it could be done using "inputlookup" command ..</P> <P>Please help !!</P> <P>Thanks <BR /> Abhay</P> Tue, 16 Oct 2012 17:41:41 GMT abhayneilam 2012-10-16T17:41:41Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92212#M23784 <P>Hi ,</P> <P>I am new to splunk, I want to seach multiple keywords from a list ( .txt ) , I would like to know how it could be done using "inputlookup" command ..</P> <P>Please help !!</P> <P>Thanks <BR /> Abhay</P> Tue, 16 Oct 2012 17:41:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92212#M23784 abhayneilam 2012-10-16T17:41:41Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92213#M23785 <P>Splunk in general will need a .csv or a tarred version of .csv file to be used. So AFAIK it won't read data from .txt file. </P> Tue, 16 Oct 2012 17:45:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92213#M23785 theouhuios 2012-10-16T17:45:55Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92214#M23786 <P>ok. even if it reads from .csv , can u please give me one example how it can be used.</P> <P>Please help</P> Tue, 16 Oct 2012 18:12:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92214#M23786 abhayneilam 2012-10-16T18:12:46Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92215#M23787 <P>The lookup file must be .csv or .csv.gz. There are some brief examples in the <A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Inputlookup">Search Reference</A>.</P> Tue, 16 Oct 2012 18:27:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92215#M23787 ChrisG 2012-10-16T18:27:53Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92216#M23788 <P>Assume you define a lookup table as described here: <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources">http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources</A></P> <P>Further, assume that the lookup is called <CODE>foo</CODE> and its associated file looks as such: </P> <P><CODE>status, category<BR /> 200, good<BR /> 400, bad<BR /> 500, worse</CODE></P> <P>1.You can use the following search that utilizes the <CODE>inputlookup</CODE> command to search on <CODE>status=values</CODE>: </P> <P>"<CODE>index=my_index [| inputlookup foo | return 10 status]</CODE>" </P> <P>which translates to :<BR /><BR /> "<CODE>index=my_index (status="200") OR (status="400") OR (status="500")</CODE>"</P> <P>2.To search ONLY on <CODE>status</CODE> values: </P> <P><CODE>index=my_index [| inputlookup foo | return 10 $status]</CODE></P> <P>which translates to: </P> <P><CODE>index=my_index (200) OR (400) OR (500)</CODE></P> <P>Hope this helps, </P> <P>d.</P> Wed, 17 Oct 2012 04:07:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92216#M23788 _d_ 2012-10-17T04:07:39Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92217#M23789 <P>But if I want to output, the no. of occurence for each Status code : like</P> <P>Status_Code Count<BR /> 200 5<BR /> 300 2<BR /> 400 10<BR /> 500 1<BR /> 600 30</P> <P>Please help me regarding this</P> Wed, 17 Oct 2012 08:06:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92217#M23789 abhayneilam 2012-10-17T08:06:09Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92218#M23790 <P>Following the example above:</P> <PRE><CODE>index=my_index [| inputlookup foo | return 10 status] | stats count by status </CODE></PRE> <P>Should get you what you want.</P> Thu, 29 Nov 2012 19:26:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92218#M23790 jeff 2012-11-29T19:26:32Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92219#M23791 <P>where should we copy that file</P> Mon, 23 May 2016 07:36:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92219#M23791 rashid47010 2016-05-23T07:36:59Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92220#M23792 <P>I have a requirement that is somewhat similar:<BR /> i have a list of query strings (these are just strings not a field)<BR /> (eg. Too many open files, CPU Starvation detected, java.sql.SQLException: Cannot obtain connection, thread(s) in total in the server that may be hung, Trust Association Init Error, problems occurred during startup for, OutOfMemoryError)<BR /> My requirement is to save these strings in a field and then run a query like<BR /> index=abc sourcetype=xyz "field_name" |stats count by field_name<BR /> I have already saved these queries in a lookup csv, but unable to reference the lookup file to run the query</P> <P>my intention is to create a logic to use the lookup file so that in a rare event if there are any changes/addition/deletion to the query strings, no one touches the actual query, just a change/addition/deletion in the lookup file would be enough. </P> <P>when i run |inputlookup search_string.csv | return 15 $search_string<BR /> i get the output as <BR /> (Too many open files) OR (CPU Starvation detected) OR (java.sql.SQLException: Cannot obtain connection:) OR (thread(s) in total in the server that may be hung)<BR /> how do i write a query so that it searches all the strings individually and later when i do a stats gives me a occurance count of each string.</P> Tue, 29 Sep 2020 17:03:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92220#M23792 soumyasaha25 2020-09-29T17:03:27Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92221#M23793 <P>Please open a new question for the above, commenting on the existing one is unlikely to obtain an appropriate answer.</P> Mon, 04 Dec 2017 07:27:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92221#M23793 gjanders 2017-12-04T07:27:24Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/544264#M154169 <P>Hi, If i want to count the no of responseStatus, how do you achieve that.</P><P>For exaple I want to update the file with No of 200, 201, 203, 204, every 10 mins.</P><P>I want to use this data in future to plot my Charts</P> Wed, 17 Mar 2021 22:05:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/544264#M154169 vijaysubramania 2021-03-17T22:05:44Z https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/645582#M223518 <UL><LI>Hi, I still don't understand the difference between $&lt;field&gt; and &lt;fields&gt;. Can you ELI5?</LI></UL> Fri, 02 Jun 2023 16:43:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/645582#M223518 SubtotalAMG 2023-06-02T16:43:57Z