Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see also events with no findings based on lookup

fred1455
New Member
‎08-06-2017 06:52 AM

Hello,

as a Lookup I definded a List of locations and servers

location, servername
Paris, Server1
Paris, Server2
Madrid, Server3
Madrid, Server4
Milano, Server 5

in my sourcetype=serverevents I do have events including the field servername.

How can I make a query based on inputlookup to count and see also locations with no events.

So like

Paris=4 Events
Madrid=0 Events
Milano= 3 Events

Can you helo me please?

Thanks

MIke

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

knielsen
Contributor
‎08-07-2017 04:38 AM

Try this for example:

sourcetype=serverevents [inputlookup your_lookup | fields servername] | stats count by servername | appendcols [| inputlookup your_lookup] | fillnull count | fields location count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

knielsen
Contributor
‎08-07-2017 04:38 AM

Try this for example:

sourcetype=serverevents [inputlookup your_lookup | fields servername] | stats count by servername | appendcols [| inputlookup your_lookup] | fillnull count | fields location count
0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-07-2017 05:42 AM

@knielsen - appendcols won't work for that - it will add columns to the existing sums, not add events where there wasn't a match. See if you can figure out another way. (hint - append, coalesce, stats)

0 Karma
Reply
Solved! Jump to solution

knielsen
Contributor
‎08-07-2017 05:59 AM

Well, I honestly tried that out with one of our own lookup files, where I have ~100 lines in the lookup. I got a count > 0 for like 20 of those on a limited data set without the appendcols, and adding the appendcols added the unused entries with count=0 as well.

Don't know why it doesn't work for you, Sorry. 🙂

edit: actually, I shut up on this one. I didn't check my ids reappearing, and that even makes sense. So yeah, I am wrong. 🙂

0 Karma
Reply
Solved! Jump to solution

knielsen
Contributor
‎08-07-2017 06:31 AM

And then again, it works as expected when I do it the other way round, start with the inputlookup for the whole table, then add the count for things that are found, then fill count with 0. I got no more duplicated ids then, as the count is correct for the ids found, 0 for non found. No appendcols, just append...

 | inputlookup your_lookup | append [ search sourcetype=serverevents [| inputlookup your_lookup | fields servername ] |stats count by servername] | stats first(*) as * by servername | fillnull count

I double checked the result of that now within my data sets, this should be fine.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...