https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228404#M67521 <P>Can you share sample from lookup file including the header and also from the log data couple or _raw events?</P> Mon, 14 Nov 2016 19:05:36 GMT niketn 2016-11-14T19:05:36Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228397#M67514 <P>I have a lookup table that has five fields:</P> <PRE><CODE>User Account Type Employee RC Employee Department Student RC </CODE></PRE> <P>I have an index I'd like to run the lookup command against that has a field with the same name - User</P> <P>How do I set up my lookup command to do a stats count by User and return the other four fields in the output?</P> <P>Thx</P> Mon, 14 Nov 2016 17:55:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228397#M67514 jwalzerpitt 2016-11-14T17:55:07Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228398#M67515 <P>Perhaps this will help.</P> <PRE><CODE>index=foo | stats count as Count by User | lookup mylookup User OUTPUT "Account Type" "Employee RC" "Employee Department" "Student RC" | ... </CODE></PRE> Mon, 14 Nov 2016 18:10:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228398#M67515 richgalloway 2016-11-14T18:10:06Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228399#M67516 <P>Assuming your lookup table has lookup defined as <STRONG>userdetails</STRONG></P> <PRE><CODE>Your base search | stats count by User | lookup userdetails User | table User, "Account Type", "Employee RC", "Employee Department", "Student RC" </CODE></PRE> <P>It would be better if your lookup table had fields without spaces like Employee_RC etc</P> Mon, 14 Nov 2016 18:34:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228399#M67516 niketn 2016-11-14T18:34:33Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228400#M67517 <P>Thx for the repkly Rich.</P> <P>I ran that query and I'm seeing the count by User, but the other fields ("Account Type" "Employee RC" "Employee Department" "Student RC") are blank</P> Mon, 14 Nov 2016 18:35:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228400#M67517 jwalzerpitt 2016-11-14T18:35:01Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228401#M67518 <P>FYI - as a test, I did a |inputlookup ldap and I'm seeing values in the fields</P> Mon, 14 Nov 2016 18:36:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228401#M67518 jwalzerpitt 2016-11-14T18:36:36Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228402#M67519 <P>Thx - I added the underline to the other fields, but still not seeing any values returned</P> Mon, 14 Nov 2016 18:41:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228402#M67519 jwalzerpitt 2016-11-14T18:41:33Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228403#M67520 <P>So is your problem resolved?</P> Mon, 14 Nov 2016 19:02:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228403#M67520 richgalloway 2016-11-14T19:02:40Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228404#M67521 <P>Can you share sample from lookup file including the header and also from the log data couple or _raw events?</P> Mon, 14 Nov 2016 19:05:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228404#M67521 niketn 2016-11-14T19:05:36Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228405#M67522 <P>Make sure the casing of field User is the same in raw data and the lookup table. If the fields are not exact match they will not join.</P> Mon, 14 Nov 2016 19:06:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228405#M67522 niketn 2016-11-14T19:06:47Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228406#M67523 <P>The field in the index is 'User' and the field in the .csv is 'User' - I did double check that to make sure they matched up</P> Mon, 14 Nov 2016 19:18:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228406#M67523 jwalzerpitt 2016-11-14T19:18:12Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228407#M67524 <P>No - still not seeing values in any of other four fields</P> Mon, 14 Nov 2016 19:19:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228407#M67524 jwalzerpitt 2016-11-14T19:19:10Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228408#M67525 <P>Some sample data from the csv:</P> <P>User Account_Type Employee_RC Employee_Department Student_RC<BR /> user1 Primary University Library System (60) Administrative Services (60080) <BR /> user2 Primary Sch Arts and Sciences (06) Chemistry (13203)<BR /><BR /> user3 Primary Swansea School of Engineering (23)<BR /> user4 Primary General Counsel (54) General Counsel (01020)<BR /><BR /> user5 Primary Univ of ABC at City Name (42) Soc Sci-Admin of Just (42249) <BR /> user6 Primary Financial Aid (84) General University Budget Only (07118) Howler Sch Arts and Sciences (06)<BR /> user7 Primary Howler Sch Arts and Sciences (06)<BR /> user8 Primary Howler Sch Arts and Sciences (06)</P> Tue, 29 Sep 2020 11:45:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228408#M67525 jwalzerpitt 2020-09-29T11:45:58Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228409#M67526 <P>FYI - some keys have blank values</P> Tue, 15 Nov 2016 14:16:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228409#M67526 jwalzerpitt 2016-11-15T14:16:47Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228410#M67527 <P>Is the case of values of field User different in index/lookup? Lookup is case-sensitive (by default) and will not work if you try to match <CODE>user1</CODE> with <CODE>User1</CODE> OR <CODE>USER1</CODE>.</P> Tue, 15 Nov 2016 15:35:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228410#M67527 somesoni2 2016-11-15T15:35:12Z https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228411#M67528 <P>Thx for the info - in my .csv user names are all in caps, whereas the user field in the index the user names are lower case. I modified the .csv and changed upper case to lower case, reloaded the .csv and the lookup works - thx!</P> Tue, 15 Nov 2016 16:28:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-develop-a-lookup-search-to-run-a-stats-count-by-user-and/m-p/228411#M67528 jwalzerpitt 2016-11-15T16:28:37Z