All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract data in lookup?

smanojkumar
Contributor
‎04-27-2023 02:06 AM

Hi There!

    I'm having the query, In the station_check_kvstore lookup , the field check_date consists of 180 values for a single src_name, we are having many src_name 

   For instance,  when src_name = 51363 , check_date consists of 180 values,

If we are using this query, it fetched only 100 values of check_date for a single src_name, we need all values or the latest date in check_date,

Solution for both ways is welcome,

 

| inputlookup check_kvstore
| search src_name = 51363
| lookup station_check_kvstore src_name Email OUTPUT check_date
| table src_name Email check_date

 

Thanks is Advance!!

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-27-2023 04:55 AM

Hi @smanojkumar,

let me understand:

  • you have two lookups: check_kvstore and station_check_kvstore,
  • it's possible to correlate these two lookups using two keys: src_name Email ,
  • but the problem is thatthere are many (180) values for the check_date field, each one in a different row,

is it correct?

if this is your situation, you could try:

| inputlookup check_kvstore
| append [ | inputlookup station_check_kvstore ]
| search src_name = 51363
| stats values(check_date) AS check_date BY src_name Email

This is possible only if the station_check_kvstore lookup has less than 50,000 values.

if you want a table with a value for each row, you could use this:

| inputlookup check_kvstore
| append [ | inputlookup station_check_kvstore ]
| search src_name = 51363
| stats count BY src_name Email check_date
| fields - count

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...