Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see also events with no findings based on lookup

fred1455
New Member
‎08-06-2017 06:52 AM

Hello,

as a Lookup I definded a List of locations and servers

location, servername
Paris, Server1
Paris, Server2
Madrid, Server3
Madrid, Server4
Milano, Server 5

in my sourcetype=serverevents I do have events including the field servername.

How can I make a query based on inputlookup to count and see also locations with no events.

So like

Paris=4 Events
Madrid=0 Events
Milano= 3 Events

Can you helo me please?

Thanks

MIke

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

knielsen
Contributor
‎08-07-2017 04:38 AM

Try this for example:

sourcetype=serverevents [inputlookup your_lookup | fields servername] | stats count by servername | appendcols [| inputlookup your_lookup] | fillnull count | fields location count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

knielsen
Contributor
‎08-07-2017 04:38 AM

Try this for example:

sourcetype=serverevents [inputlookup your_lookup | fields servername] | stats count by servername | appendcols [| inputlookup your_lookup] | fillnull count | fields location count
0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-07-2017 05:42 AM

@knielsen - appendcols won't work for that - it will add columns to the existing sums, not add events where there wasn't a match. See if you can figure out another way. (hint - append, coalesce, stats)

0 Karma
Reply
Solved! Jump to solution

knielsen
Contributor
‎08-07-2017 05:59 AM

Well, I honestly tried that out with one of our own lookup files, where I have ~100 lines in the lookup. I got a count > 0 for like 20 of those on a limited data set without the appendcols, and adding the appendcols added the unused entries with count=0 as well.

Don't know why it doesn't work for you, Sorry. 🙂

edit: actually, I shut up on this one. I didn't check my ids reappearing, and that even makes sense. So yeah, I am wrong. 🙂

0 Karma
Reply
Solved! Jump to solution

knielsen
Contributor
‎08-07-2017 06:31 AM

And then again, it works as expected when I do it the other way round, start with the inputlookup for the whole table, then add the count for things that are found, then fill count with 0. I got no more duplicated ids then, as the count is correct for the ids found, 0 for non found. No appendcols, just append...

 | inputlookup your_lookup | append [ search sourcetype=serverevents [| inputlookup your_lookup | fields servername ] |stats count by servername] | stats first(*) as * by servername | fillnull count

I double checked the result of that now within my data sets, this should be fine.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...