All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

group by lookup out put with splunk search results

smaran06
Path Finder
‎03-07-2016 04:38 PM

Hi All,

I have to pull the results in my splunk query basing on a type, I am able to pull the results using the type as shown below.

index=app sourcetype=log4j | stats count as total by type

However this type in not user readable, so, I had created a lookup to map the type with user readable data as key pair like show below.

Type, APP_NAME
Type1,Mapping1
Type2,Mapping2
Type3,Mapping3

This is not giving me out put when I use below query.

index=app sourcetype=log4j | stats count as total by type|lookup mapping_file.csv type as type_data OUTPUT APP_NAME as APP_NAME_data |replace type with APP_NAME_data in type | table APP_NAME_data,count

can you anyone let me know, what mistake I am doing here.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-12-2016 07:37 AM

You are probably getting an error; what is that error?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎03-07-2016 06:34 PM

Your reference to using lookup mapping_file.csv makes me wonder if you have the csv file set up correctly. Please double-check your work carefully, following the Configure CSV Lookups section in the docs.

If you end up with a lookup named mapping_file then it's possible the syntax you need is as follows.

index=app sourcetype=log4j 
| stats count as total by type
| lookup mapping_file Type AS type OUTPUT APP_NAME as APP_NAME_data 
| table APP_NAME_data,count

Pay special attention to AS clauses in lookup - I find them constantly confusing and have to carefully refer back to the docs. The ones after OUTPUT/OUTPUTNEW are fine, it's the ones before that are logically backwards from the way I would prefer them.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...