Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SPlunk query

sverdhan
Loves-to-Learn Lots
‎06-17-2025 06:26 AM

Hello team , 

Please help me modify this query such that it is able to loop through all the values of the csv file : 

 Although it is able to give the clients and sensitivity of the selected sourcetype but in the results in the fields- Sourcetype Domain and NewIndex it is only giving the values of the first sourcetype- A4Server

sverdhan_0-1750166500468.png

Like for example over here the selected sourcetype is A4server but in the sourcetype it is giving A4ServerBeta  as it is not looping through the entire csv but only the first value

| tstats count WHERE index=* sourcetype=A4Server by index 
| rex field=index max_match=0 "(?<clients>\w+)(?<sensitivity>_private|_public)"

 

| table index, clients, sensitivity
| join type=left client [
    | inputlookup appserverdomainmapping.csv 

    | table NewIndex, Domain, Sourcetype
]| eval NewIndex= NewIndex + sensitivity
| table clients, sensitivity, Domain, Sourcetype, NewIndex

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-17-2025 03:15 PM

As @gcusello , don't use join, that's the wrong way to do this, however, you are using the wrong field. Your rex statement is extracting the field called clients but your join is using client (singular).

Please use the lookup way to do this, not join.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-17-2025 06:37 AM

Hi @sverdhan ,

did you tried to use the lookup command (https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.4/search-commands/lookup) instead of inputlookup in your search?

the lookup command is like a left join.

| tstats count WHERE index=* sourcetype=A4Server by index 
| rex field=index max_match=0 "(?<clients>\w+)(?<sensitivity>_private|_public)"
| fields - count
| lookup appserverdomainmapping.csv client OUTPUT NewIndex, Domain, Sourcetype
| eval NewIndex= NewIndex.sensitivity
| table clients, sensitivity, Domain, Sourcetype, NewIndex

Ciao.

Giuseppe

 

0 Karma
Reply

sverdhan
Loves-to-Learn Lots
‎06-18-2025 12:31 AM

Hello  Giuseppe,

Thanks much for your suggestion , bit the query is giving an error : Cannot find client in the source field client in the lookup table . Now, we cant add clients in th elookup table becaue that would complex things. CAn yiu please tell m eothe rways to do it maybe through join or something.

 

Much appreciated.

0 Karma
Reply

PrewinThomas
Motivator
‎06-18-2025 01:25 AM

@sverdhan 

Try below with clients,

| tstats count WHERE index=* by index sourcetype
| rex field=index max_match=0 "(?<clients>\w+)(?<sensitivity>_private|_public)"
| lookup appserverdomainmapping.csv clients OUTPUT NewIndex, Domain, Sourcetype
| eval NewIndex=NewIndex.sensitivity
| table clients, sensitivity, Domain, Sourcetype, NewIndex


If you do not need to add clients, and to just display lookup fields you can use appendcols

| tstats count WHERE index=* by index sourcetype
| rex field=index max_match=0 "(?<clients>\w+)(?<sensitivity>_private|_public)"
| appendcols [| inputlookup appserverdomainmapping.csv | fields Domain, Sourcetype, NewIndex]
| eval NewIndex=NewIndex.sensitivity
| table clients, sensitivity, Domain, Sourcetype, NewIndex


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

sverdhan
Loves-to-Learn Lots
‎06-18-2025 04:15 AM

Hello, this query seems to be working but the clients field is a multivalue field for some sourcetype ,so it results are spread out ,can you modify it ?

0 Karma
Reply

sverdhan
Loves-to-Learn Lots
‎06-17-2025 06:28 AM

A4server Beta is the first value so no matter what sourcetype i choose it is on;y giving the values of A4server Beta in sourcetype , newIndex an ddomain

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...