All Apps and Add-ons

group by lookup out put with splunk search results

smaran06
Path Finder

Hi All,

I have to pull the results in my splunk query basing on a type, I am able to pull the results using the type as shown below.

index=app sourcetype=log4j | stats count as total by type

However this type in not user readable, so, I had created a lookup to map the type with user readable data as key pair like show below.

Type, APP_NAME
Type1,Mapping1
Type2,Mapping2
Type3,Mapping3

This is not giving me out put when I use below query.

index=app sourcetype=log4j | stats count as total by type|lookup mapping_file.csv type as type_data OUTPUT APP_NAME as APP_NAME_data |replace type with APP_NAME_data in type | table APP_NAME_data,count

can you anyone let me know, what mistake I am doing here.

0 Karma

woodcock
Esteemed Legend

You are probably getting an error; what is that error?

0 Karma

Richfez
SplunkTrust
SplunkTrust

Your reference to using lookup mapping_file.csv makes me wonder if you have the csv file set up correctly. Please double-check your work carefully, following the Configure CSV Lookups section in the docs.

If you end up with a lookup named mapping_file then it's possible the syntax you need is as follows.

index=app sourcetype=log4j 
| stats count as total by type
| lookup mapping_file Type AS type OUTPUT APP_NAME as APP_NAME_data 
| table APP_NAME_data,count

Pay special attention to AS clauses in lookup - I find them constantly confusing and have to carefully refer back to the docs. The ones after OUTPUT/OUTPUTNEW are fine, it's the ones before that are logically backwards from the way I would prefer them.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...