https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-append-multiple-lookups/m-p/198122#M57263 <P>What are the columns available in lookup tables?</P> Thu, 28 Aug 2014 21:10:01 GMT somesoni2 2014-08-28T21:10:01Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-append-multiple-lookups/m-p/198121#M57262 <P>Hi All,</P> <P>I am trying to write a search that appends multiple lookups. I have 4 lookups in a .CSV format that table a list of customers by channel (4 different channels) that have been migrated from one system to another. I want to create a search that uses all lookups to verify customers that have been migrated are logging in Splunk. If they are not logging, there is some issue that needs to be looked at.</P> <P>Here is a basic search I am using with one of the lookups:</P> <P>index=contract_gateway earliest=@d sourcetype=esb_audit bp_bp_name=Invoice<BR /> | stats earliest(_time) as first_seen, latest(_time) as last_seen by customer| append [ |inputlookup edi_migrated_customer_lookup.csv ] <BR /> | stats min(first_seen) as first_seen, max(last_seen) as last_seen by customer<BR /> | outputlookup edi_migrated_customer_lookup.csv</P> <P>The issue I am having is that no matter which of the four lookups I use, the number events in Splunk remains the same, concluding that my search must be jacked/ I am not using the inputlookup/outputlook commands correctly.</P> <P>What I eventually would like to do is display a summary page that monitors the customer migration, and table Total Customer Count, Success Rate, Error Rate, No Transaction Rate by each channel.</P> <P>Any insights on my query would be very helpful.</P> <P>Thanks in Advance!</P> Mon, 28 Sep 2020 17:26:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-append-multiple-lookups/m-p/198121#M57262 _gkollias 2020-09-28T17:26:25Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-append-multiple-lookups/m-p/198122#M57263 <P>What are the columns available in lookup tables?</P> Thu, 28 Aug 2014 21:10:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-append-multiple-lookups/m-p/198122#M57263 somesoni2 2014-08-28T21:10:01Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-append-multiple-lookups/m-p/198123#M57264 <P>Only "customer" at the moment. Each lookup, like edi_migrated_customer_lookup.csv, contains a list of customers that have been migrated. So every week I will beupdating the lookups as customers are migrated.</P> Mon, 28 Sep 2020 17:26:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-append-multiple-lookups/m-p/198123#M57264 _gkollias 2020-09-28T17:26:31Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-append-multiple-lookups/m-p/198124#M57265 <P>Give this a try. I</P> <PRE><CODE>index=contract_gateway earliest=@d sourcetype=esb_audit bp_bp_name=Invoice | stats earliest(_time) as first_seen, latest(_time) as last_seen by customer| append [ |inputlookup edi_migrated_customer_lookup.csv ] | dedup customer first_seen last_seen| outputlookup edi_migrated_customer_lookup.csv </CODE></PRE> Fri, 29 Aug 2014 12:24:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-append-multiple-lookups/m-p/198124#M57265 somesoni2 2014-08-29T12:24:11Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-append-multiple-lookups/m-p/198125#M57266 <P>Thanks for your response. The results are similar where no matter which migrated list I change to the number of events are still the same for all lookups. The lookups range from 300 customers in one, to almost 20,000 in another, so I suspect the number of events to change by each lookup</P> Fri, 29 Aug 2014 12:54:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-append-multiple-lookups/m-p/198125#M57266 _gkollias 2014-08-29T12:54:40Z