All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract data in lookup?

smanojkumar
Contributor
‎04-27-2023 02:06 AM

Hi There!

    I'm having the query, In the station_check_kvstore lookup , the field check_date consists of 180 values for a single src_name, we are having many src_name 

   For instance,  when src_name = 51363 , check_date consists of 180 values,

If we are using this query, it fetched only 100 values of check_date for a single src_name, we need all values or the latest date in check_date,

Solution for both ways is welcome,

 

| inputlookup check_kvstore
| search src_name = 51363
| lookup station_check_kvstore src_name Email OUTPUT check_date
| table src_name Email check_date

 

Thanks is Advance!!

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-27-2023 04:55 AM

Hi @smanojkumar,

let me understand:

  • you have two lookups: check_kvstore and station_check_kvstore,
  • it's possible to correlate these two lookups using two keys: src_name Email ,
  • but the problem is thatthere are many (180) values for the check_date field, each one in a different row,

is it correct?

if this is your situation, you could try:

| inputlookup check_kvstore
| append [ | inputlookup station_check_kvstore ]
| search src_name = 51363
| stats values(check_date) AS check_date BY src_name Email

This is possible only if the station_check_kvstore lookup has less than 50,000 values.

if you want a table with a value for each row, you could use this:

| inputlookup check_kvstore
| append [ | inputlookup station_check_kvstore ]
| search src_name = 51363
| stats count BY src_name Email check_date
| fields - count

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...