Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me do an outputlookup with a conditio...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-21-2018
11:00 PM
Hello
I use the code below.
I'm doing an outputlookup at the end of the query, but I want to do it with a condition.
The condition is that Build=1511.
Do i have to use a where command or there is another solution please??
eventtype="AppliEV" Level=*
| dedup host
| stats count by host
| append
[ search index="ai-wkst-windows-fr" sourcetype=WinRegistry key_path="\\registry\\machine\\xx"
OR
key_path="\\registry\\machine\\xx"
| eval OS=if(key_path=="\\registry\\machine\\software\\xx),
Build=if(key_path=="\\registry\\machine\\software\\xx)
| stats latest(OS) as OS latest(Build) as Build by host ]
| stats values(OS) as OS values(Build) as Build by host
| stats count as Total by OS Build host | fields - host | outputlookup build.csv
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nryabykh
Path Finder
11-22-2018
02:29 AM
Hi!
You can use a where command in this way:
...
| stats count as Total by OS Build host
| fields - host
| appendpipe
[where Build="1511"
| outputlookup override_if_empty=f build.csv
| where nofield="novalue"]
It helps to avoid overriding build.csv with empty file in case of Build is not 1511.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nryabykh
Path Finder
11-22-2018
02:29 AM
Hi!
You can use a where command in this way:
...
| stats count as Total by OS Build host
| fields - host
| appendpipe
[where Build="1511"
| outputlookup override_if_empty=f build.csv
| where nofield="novalue"]
It helps to avoid overriding build.csv with empty file in case of Build is not 1511.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
grittonc
Contributor
04-08-2019
05:32 AM
This is awesome! Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-22-2018
10:05 PM
many thanks
Get Updates on the Splunk Community!
Congratulations to the 2025-2026 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Your Guide to Splunk Digital Experience Monitoring
A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...
