Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Comparing index with inputlookup?

danutmatei
Explorer
‎03-13-2023 04:20 AM

Hi,

I have a policy.csv file with 2 columns:

user                   tags

Andre               IT

Kleo                  Management

Vlad                  Finance

 

And I also have an index=events with events and field "user"

What I want is to count the number of events for each tag by user.

for example:

User          Tags         Count

Andre         IT           55

 

I've tried this, but it counts the number of rows from the csv, not from index:

|inputlookup policy.csv
| join type=left tags [|tstats count where index=events by user]
|stats count by user tags
Labels (3)
Labels
0 Karma
Reply

danutmatei
Explorer
‎03-13-2023 05:29 AM

Error in 'lookup' command: Must specify one or more lookup fields.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 05:37 AM

Sorry, try it this way

|tstats count where index=events by user
| lookup policy.csv user
0 Karma
Reply

danutmatei
Explorer
‎03-13-2023 05:43 AM

bot working, I get 0 statistics

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 06:00 AM

What is your current search?

0 Karma
Reply

danutmatei
Explorer
‎03-13-2023 06:04 AM 
|tstats count where index=events by user
| lookup policy.csv user
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 06:07 AM

Does this return any results?

|tstats count where index=events by user

If not, how about this

index=events
| stats count by user
0 Karma
Reply

danutmatei
Explorer
‎03-13-2023 06:13 AM

And what should I do with this query ? since is not solving my issue and the lookup file is not included ?!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 06:16 AM

If you are not getting any results from the tstats or the stats, then the lookup isn't going to make any difference. You need to look at why there are no results. Perhaps the fields don't exist or are spelt differently, including differences in upper and lower case.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 04:31 AM

Would this work for you?

|tstats count where index=events by user
| lookup policy.csv
0 Karma
Reply

danutmatei
Explorer
‎03-13-2023 04:51 AM

no

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 05:20 AM

In what way does it not work? What else can you tell us about your data which might help us suggest a more meaningful solution?

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Top