Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Tstats on lookup hosts

szukaczov
Engager
‎07-30-2021 12:10 AM

Hello,

I have below TSTATS command which is checking the specifig index population with events per day:

 

| tstats count WHERE (index=_internal AND sourcetype=splunkd) OR (index=B) by host,sourcetype,index,_time span=1d

 

I would like to modify it to run the search on only hosts which are in the lookup list servers.csv. 

 

Can you please help me with modification? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-06-2021 05:31 AM

I think I see the problem.  An "AND" was missing before the subsearch.  I've corrected my original answer.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2021 05:51 AM

Add the lookup in a subsearch with the where clause.

 

| tstats count WHERE (index=_internal AND sourcetype=splunkd) OR (index=B) AND [ | inputlookup servers.csv | return 1000 host] by host,sourcetype,index,_time span=1d

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

szukaczov
Engager
‎08-05-2021 12:58 AM

Thank you @richgalloway , for your assistance. I have checked the query and I have error:

 

"may have returned partial results. Try running your search again. If you see this error repeatedly, review search.log for details or contact your Splunk administrator."

 

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-05-2021 05:12 AM

Did you follow the instructions in the error message?  What did you see in search.log?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

diirn
Explorer
‎08-06-2021 12:40 AM

I think here is the error:

"

08-06-2021 07:34:37.521 ERROR TsidxStats [60531 searchOrchestrator] - Incorrect WHERE clause : [ AND 1000 csv host inputlookup list return server splunk [ OR index::* [ AND index::_internal sourcetype::splunkd ] ] ] 

"

08-06-2021 07:34:37.521 ERROR TsidxStats [60531 searchOrchestrator] - WHERE clause is not an exact query

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-06-2021 05:31 AM

I think I see the problem.  An "AND" was missing before the subsearch.  I've corrected my original answer.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-06-2021 09:37 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

diirn
Explorer
‎08-06-2021 06:53 AM

Thank you very much, I think the problem is solved! 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...