topic Help needed with a search and a lookup in Splunk Search https://community.splunk.com/t5/Splunk-Search/Help-needed-with-a-search-and-a-lookup/m-p/292572#M88314 <P>All,</P> <P>I have this search:</P> <PRE><CODE>index=ssn sourcetype="agent" | rex field=_raw "Files:(?&lt;customer&gt;.*):/tmp/(?&lt;filepath&gt;.*):(?&lt;filecount&gt;.*)" | stats sum(filecount) as filecount by customer host </CODE></PRE> <P>It returns this data:</P> <P>1 CUST001 host001 782<BR /> 2 CUST002 host002 150<BR /> 3 CUST003 host003 10<BR /> 4 CUST004 host004 15<BR /> 5 CUST005 host005 3<BR /> 6 CUST006 host006 44<BR /> 7 CUST007 host007 997<BR /> 8 CUST008 host008 87<BR /> 9 CUST009 host009 3587<BR /> 10 CUST010 host010 18<BR /> 11 CUST011 host011 273<BR /> 12 CUST012 host012 20227<BR /> 13 CUST013 host001 18</P> <P>I need one alarm for hosts that are in a lookup table AND the filecount is 0. The lookup table is:</P> <PRE><CODE>| inputlookup sldp-oo_customers 1 host001 CUST001 2 host001 CUST001 3 host001 CUST001 4 host020 CUST020 </CODE></PRE> <P>The output I need is:</P> <PRE><CODE>1 CUST020 host020 0 </CODE></PRE> <P>As you may notice, the host in question does not have result in the first search, in this case it is missing data, but I want to be able to change the threshold (0 files) if needed.</P> <P>The only way I found to achieve this result is to run it in 2 searches:</P> <P>1) Generate another lookup file with the result of first search and schedule to run minutes before the second one:</P> <PRE><CODE> index=ssn sourcetype="agent" | rex field=_raw "Files:(?&lt;customer&gt;.*):/tmp/(?&lt;filepath&gt;.*):(?&lt;filecount&gt;.*)" | stats sum(filecount) as filecount by customer host | outputlookup sldp-oo-filecount.csv createinapp=true </CODE></PRE> <P>2) Run search using 2 lookup tables:</P> <PRE><CODE>| inputlookup sldp-oo_customers | lookup sldp-oo-filecount.csv customer as customer host as host OUTPUT filecount | fillnull value=0 filecount | search filecount=0 | fields customer host filecount </CODE></PRE> <P>Is there a better way to do this? Today is fine because the user want it to run every 24h, but it may became nightmare if I need to run it often.</P> <P>Thank you very much for your help,</P> <P>Gerson</P> Tue, 10 Oct 2017 16:21:49 GMT GersonGarcia 2017-10-10T16:21:49Z Help needed with a search and a lookup https://community.splunk.com/t5/Splunk-Search/Help-needed-with-a-search-and-a-lookup/m-p/292572#M88314 <P>All,</P> <P>I have this search:</P> <PRE><CODE>index=ssn sourcetype="agent" | rex field=_raw "Files:(?&lt;customer&gt;.*):/tmp/(?&lt;filepath&gt;.*):(?&lt;filecount&gt;.*)" | stats sum(filecount) as filecount by customer host </CODE></PRE> <P>It returns this data:</P> <P>1 CUST001 host001 782<BR /> 2 CUST002 host002 150<BR /> 3 CUST003 host003 10<BR /> 4 CUST004 host004 15<BR /> 5 CUST005 host005 3<BR /> 6 CUST006 host006 44<BR /> 7 CUST007 host007 997<BR /> 8 CUST008 host008 87<BR /> 9 CUST009 host009 3587<BR /> 10 CUST010 host010 18<BR /> 11 CUST011 host011 273<BR /> 12 CUST012 host012 20227<BR /> 13 CUST013 host001 18</P> <P>I need one alarm for hosts that are in a lookup table AND the filecount is 0. The lookup table is:</P> <PRE><CODE>| inputlookup sldp-oo_customers 1 host001 CUST001 2 host001 CUST001 3 host001 CUST001 4 host020 CUST020 </CODE></PRE> <P>The output I need is:</P> <PRE><CODE>1 CUST020 host020 0 </CODE></PRE> <P>As you may notice, the host in question does not have result in the first search, in this case it is missing data, but I want to be able to change the threshold (0 files) if needed.</P> <P>The only way I found to achieve this result is to run it in 2 searches:</P> <P>1) Generate another lookup file with the result of first search and schedule to run minutes before the second one:</P> <PRE><CODE> index=ssn sourcetype="agent" | rex field=_raw "Files:(?&lt;customer&gt;.*):/tmp/(?&lt;filepath&gt;.*):(?&lt;filecount&gt;.*)" | stats sum(filecount) as filecount by customer host | outputlookup sldp-oo-filecount.csv createinapp=true </CODE></PRE> <P>2) Run search using 2 lookup tables:</P> <PRE><CODE>| inputlookup sldp-oo_customers | lookup sldp-oo-filecount.csv customer as customer host as host OUTPUT filecount | fillnull value=0 filecount | search filecount=0 | fields customer host filecount </CODE></PRE> <P>Is there a better way to do this? Today is fine because the user want it to run every 24h, but it may became nightmare if I need to run it often.</P> <P>Thank you very much for your help,</P> <P>Gerson</P> Tue, 10 Oct 2017 16:21:49 GMT https://community.splunk.com/t5/Splunk-Search/Help-needed-with-a-search-and-a-lookup/m-p/292572#M88314 GersonGarcia 2017-10-10T16:21:49Z Re: Help needed with a search and a lookup https://community.splunk.com/t5/Splunk-Search/Help-needed-with-a-search-and-a-lookup/m-p/292573#M88315 <P>You can use append command to concatenate results from your search and lookup.</P> <P>Like this..</P> <P><CODE>index=ssn sourcetype="agent" <BR /> | rex field=_raw "Files:(?.*):/tmp/(?.*):(?.*)" | stats sum(filecount) as filecount by customer host | append [| inputlookup sldp-oo_customers] | stats values(*) as * by host | fillnull value=0 | where filecount=0</CODE></P> <P>make sure the host fieldname in lookup is also host, otherwise rename it to host in second query</P> Tue, 10 Oct 2017 22:41:09 GMT https://community.splunk.com/t5/Splunk-Search/Help-needed-with-a-search-and-a-lookup/m-p/292573#M88315 kyaparla 2017-10-10T22:41:09Z