https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301992#M90927 <P>I have another question .. do i have to update my csv file every time I get a new error or is there any other way that can also automatically do this . Just asking out of curiosity.</P> Thu, 18 May 2017 07:11:45 GMT loveforsplunk 2017-05-18T07:11:45Z https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301988#M90923 <P>I have a lookup table named lookupfile.csv<BR /> My file looks like this:<BR /> col1,col2,col3,col4<BR /> 100,300,500,yes<BR /> 200,400,600,yes1<BR /> 300,100,500,yes3</P> <P>My search is : <BR /> basesearch | lookup mylookup col1 , col2 , col3 OUTPUT col4 | stats count by col1, col2, col3, col4</P> <P>For each event where all the input values matches, there will be a resulting field, col4, available for that event.<BR /> So if I have field1=100 AND field2=300 AND field3=500 then I will get back col4=yes or yes1 or yes2 based on the combination.</P> <P>Now , suppose splunk gets a new combination for the base search whose details are not listed in the lookup file. Can I get the combination in statistics tab keeping the col4 field as blank ?</P> Thu, 18 May 2017 05:47:52 GMT https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301988#M90923 loveforsplunk 2017-05-18T05:47:52Z https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301989#M90924 <P>Before the stats command add a fillnull for field col4 -</P> <PRE><CODE>basesearch | lookup mylookup col1 , col2 , col3 OUTPUT col4 | fillnull value="" col4 | stats count by col1, col2, col3, col4 </CODE></PRE> <P>I would suggest adding a character and not a blank space to make the output easier to read -</P> <PRE><CODE>| fillnull value="-" col4 </CODE></PRE> Thu, 18 May 2017 06:01:11 GMT https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301989#M90924 dineshraj9 2017-05-18T06:01:11Z https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301990#M90925 <P>Ahhh.. Thank You! I was doing the same thing of adding fillnull command but my mistake was I was adding it at the end of the search string. Thanks buddy!</P> Thu, 18 May 2017 06:56:05 GMT https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301990#M90925 loveforsplunk 2017-05-18T06:56:05Z https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301991#M90926 <P>Sure.. no problem <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 18 May 2017 06:58:29 GMT https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301991#M90926 dineshraj9 2017-05-18T06:58:29Z https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301992#M90927 <P>I have another question .. do i have to update my csv file every time I get a new error or is there any other way that can also automatically do this . Just asking out of curiosity.</P> Thu, 18 May 2017 07:11:45 GMT https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301992#M90927 loveforsplunk 2017-05-18T07:11:45Z https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301993#M90928 <P>If you can form a query to identify new error and populate required fields, you can have another search running to update your lookup file with these fields using outputlookup command.</P> <PRE><CODE>basesearch | lookup mylookup col1 , col2 , col3 OUTPUT col4 | search NOT col4=* </CODE></PRE> <P>This will give you where there are no matches in the lookup and the fields that may have to be updated.</P> Thu, 18 May 2017 07:15:40 GMT https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301993#M90928 dineshraj9 2017-05-18T07:15:40Z https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301994#M90929 <P>Thank You!!</P> Sun, 21 May 2017 04:48:16 GMT https://community.splunk.com/t5/Splunk-Search/table-lookup-issues/m-p/301994#M90929 loveforsplunk 2017-05-21T04:48:16Z