Solved: Why sistats doesn't work after lookup?

maayan · ‎08-09-2023

Hi,

I wrote a report that merge the result with lookup table to add fields (like machineName). the lookup table contain the field,source.
then, I do sistats as the following:

index=....search query...
| lookup lk_table_name.csv source AS source
| sistats values(*) as * by TimeStamp,source

if I write sistats command after the lookup command the new fields from the lookup table disappear.

if i write the sistats before the lookup command everything is ok but then i have other problem when i try to parse the summary index:
index=summary search_name="query_SummaryIndex_Main"
| stats values(*) as * by TimeStamp,source

what should i do? why sistats doesnt work after lookup?

thanks,
Maayan

maayan · ‎08-10-2023

stupid solution but works- write stats before and after lookup:

| stats values(*) as * by TimeStamp,source

| lookup mylookup_table.csv source AS source

| stats values(*) as * by TimeStamp,source

View solution in original post

maayan · ‎08-10-2023

stupid solution but works- write stats before and after lookup:

| stats values(*) as * by TimeStamp,source

| lookup mylookup_table.csv source AS source

| stats values(*) as * by TimeStamp,source

Why sistats doesn't work after lookup?

other

summary indexing

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)