All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

group by lookup out put with splunk search results

smaran06
Path Finder
‎03-07-2016 04:38 PM

Hi All,

I have to pull the results in my splunk query basing on a type, I am able to pull the results using the type as shown below.

index=app sourcetype=log4j | stats count as total by type

However this type in not user readable, so, I had created a lookup to map the type with user readable data as key pair like show below.

Type, APP_NAME
Type1,Mapping1
Type2,Mapping2
Type3,Mapping3

This is not giving me out put when I use below query.

index=app sourcetype=log4j | stats count as total by type|lookup mapping_file.csv type as type_data OUTPUT APP_NAME as APP_NAME_data |replace type with APP_NAME_data in type | table APP_NAME_data,count

can you anyone let me know, what mistake I am doing here.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-12-2016 07:37 AM

You are probably getting an error; what is that error?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎03-07-2016 06:34 PM

Your reference to using lookup mapping_file.csv makes me wonder if you have the csv file set up correctly. Please double-check your work carefully, following the Configure CSV Lookups section in the docs.

If you end up with a lookup named mapping_file then it's possible the syntax you need is as follows.

index=app sourcetype=log4j 
| stats count as total by type
| lookup mapping_file Type AS type OUTPUT APP_NAME as APP_NAME_data 
| table APP_NAME_data,count

Pay special attention to AS clauses in lookup - I find them constantly confusing and have to carefully refer back to the docs. The ones after OUTPUT/OUTPUTNEW are fine, it's the ones before that are logically backwards from the way I would prefer them.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...