Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with a tstats count using lookup data?

ajith_sukumaran
Explorer
‎02-27-2019 07:01 AM

Hello,

I have the below query trying to produce the event and host count for the last hour. The index & sourcetype is listed in the lookup CSV file.

However this search does not show an index - sourcetype in the output if it has no data during the last hour.

How do I use fillnull or any other method to show the event & host count as 0 when there is no data for that index/sourcetype?

| tstats count, dc(host) as hosts where 
    [| inputlookup List.csv ]
   by index, sourcetype

My List.csv is something like below, that lists down the index and sorcetypes.

index   sourcetype
----------  ----------------
win_idx  seclog
unx_idx  syslog
nw_idx   lblog
db_idx    dblog

For eg: if index=db_idx sourcetype=dblog count is 0, my current output using the above search is 

index   sourcetype   count   hosts
----------  ----------------  ---------  ----------
win_idx  seclog          1500     15
unx_idx  syslog          3000      50
nw_idx   lblog            1000      25

My expected output is:

index   sourcetype   count   hosts
----------  ----------------  ---------  ----------
win_idx  seclog          1500     15
unx_idx  syslog          3000      50
nw_idx   lblog            1000      25
db_idx    dblog           0            0

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎02-27-2019 10:18 AM

@ajith_sukumaran - Try this

 | tstats count, dc(host) as hosts where 
[| inputlookup List.csv ]
by index, sourcetype| append[|inputlookup List.csv ]| fillnull value=0 count, hosts| stats sum(count) as count, sum(hosts) as hosts by index, sourcetype

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎02-27-2019 10:18 AM

@ajith_sukumaran - Try this

 | tstats count, dc(host) as hosts where 
[| inputlookup List.csv ]
by index, sourcetype| append[|inputlookup List.csv ]| fillnull value=0 count, hosts| stats sum(count) as count, sum(hosts) as hosts by index, sourcetype
0 Karma
Reply
Solved! Jump to solution

ajith_sukumaran
Explorer
‎03-06-2019 08:52 AM

Thanks for sharing this search. This is producing the result as required.

0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎02-27-2019 08:45 AM

There will be nothing to count on if the sourcetype doesn't have any events there, that's just how Splunk works there. You can get the results you want with this though:

| inputlookup list.csv
| join type=left index, sourcetype [
| inputlookup list.csv
| map search="| tstats count where index=$index$ sourcetype=$sourcetype$ by index,sourcetype"]
| fillnull value=0

Let me know what you think

0 Karma
Reply
Solved! Jump to solution

ajith_sukumaran
Explorer
‎02-27-2019 10:07 AM

Thanks. I tried this but the result is not as expected as the count value gets mismatched with the index - sourcetype.

The first few index/ sourcetype shows the values as expected and fills data for those where no events. That's great.

However remaining index/ sourcetype shows value 0 even if there is events present.

0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎02-27-2019 10:21 AM

This search shows a count of 0 for pairs (sourcetype,index) that don't have any value. Adding the dc(host) will get your fourth column. Value mismatch on the count? tstats count by index,sourcetype can't be wrong, this runs tstats count by index,sourcetype, how can it be right for some and wrong for others?

0 Karma
Reply
Solved! Jump to solution

ajith_sukumaran
Explorer
‎03-06-2019 08:51 AM

yeah, I agree. This should have populated the actual counts and filled with null values. But I am not sure why the mismatch happens. Thanks for the search, I have the stats as required now.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...