I have a lookup file with the entire list of service names,now i want to perform a search to have the count of the service and and for the service not present in logs for the selected time range but present in lookup file,the count has to be shown as 0
Please assist @niketn
@renjith_nair Thanks for the suggestion,this worked,but i have another question,
When the service is present in both logs and lookup file,it should take the function (field that is extracted using regex) from logs..
Glad that the solution worked. 👍 would be appreciated 🙂
Would you mind sharing the search and explain what you currently have and what do you expect? Is that function/field is after the stats function?
The event in which service name is present in the same event function name corresponding to service name is also present.
Now i have a lookup file with whole list of service names
My search has to look for service name in the log,if present it bring its corresponding function name and also the count by service and function name..
And for services not present in log but present in lookup file,it should bring the count as zero
This is my requirement
Try this run anywhere example and check if it works for your use case
|makeresults|eval continent="Asia Asia Africa Europe"|makemv continent|mvexpand continent |appendcols [|makeresults |eval country="China China Angola Germany"|makemv country|mvexpand country] |rename COMMENT as "Created dummy events above" |append [|inputlookup geo_attr_countries.csv |fields country] |fillnull continent value="NULL" |stats count by country,continent |eval count=if(continent=="NULL",0,count)
we have few events with country & continent and we compare it against the lookup which has only a list of countries.
The same logic explained above can be used. Let me try to explain that
with a dummy search
index="your index" |stats count by service, "other fields" |eval source="events" |append [|inputlookup <your lookup file> |fields service|eval source="lookup" ] |eventstats values(source) as source by service |eval status=if(mvcount(source)>1,"Avaialble in Both",if(isnotnull(mvfind(source,"events")),"Available in Events","Available in Lookup")) |fields - source |fillnull count value=0 |stats sum(count) as count,values(function) as function,values(status) as status by service
Here is again a run anywhere example
| makeresults | eval continent="Asia Asia Africa Europe" | makemv continent | mvexpand continent | appendcols [| makeresults | eval country="China China Angola Germany" | makemv country | mvexpand country] | stats count by country,continent | eval source="events" | append [| inputlookup geo_attr_countries.csv | fields country | eval source="lookup"] | eventstats values(source) as source by country | eval status=if(mvcount(source)>1,"Avaialble in Both",if(isnotnull(mvfind(source,"events")),"Available in Events","Available in Lookup")) | fields - source | fillnull count value=0 | stats sum(count) as count,values(continent) as continent,values(status) as status by country
Let me know the changes you want from the above search