Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Comparing index with inputlookup?

danutmatei
Explorer
‎03-13-2023 04:20 AM

Hi,

I have a policy.csv file with 2 columns:

user                   tags

Andre               IT

Kleo                  Management

Vlad                  Finance

 

And I also have an index=events with events and field "user"

What I want is to count the number of events for each tag by user.

for example:

User          Tags         Count

Andre         IT           55

 

I've tried this, but it counts the number of rows from the csv, not from index:

|inputlookup policy.csv
| join type=left tags [|tstats count where index=events by user]
|stats count by user tags
Labels (3)
Labels
0 Karma
Reply

danutmatei
Explorer
‎03-13-2023 05:29 AM

Error in 'lookup' command: Must specify one or more lookup fields.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 05:37 AM

Sorry, try it this way

|tstats count where index=events by user
| lookup policy.csv user
0 Karma
Reply

danutmatei
Explorer
‎03-13-2023 05:43 AM

bot working, I get 0 statistics

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 06:00 AM

What is your current search?

0 Karma
Reply

danutmatei
Explorer
‎03-13-2023 06:04 AM 
|tstats count where index=events by user
| lookup policy.csv user
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 06:07 AM

Does this return any results?

|tstats count where index=events by user

If not, how about this

index=events
| stats count by user
0 Karma
Reply

danutmatei
Explorer
‎03-13-2023 06:13 AM

And what should I do with this query ? since is not solving my issue and the lookup file is not included ?!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 06:16 AM

If you are not getting any results from the tstats or the stats, then the lookup isn't going to make any difference. You need to look at why there are no results. Perhaps the fields don't exist or are spelt differently, including differences in upper and lower case.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 04:31 AM

Would this work for you?

|tstats count where index=events by user
| lookup policy.csv
0 Karma
Reply

danutmatei
Explorer
‎03-13-2023 04:51 AM

no

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2023 05:20 AM

In what way does it not work? What else can you tell us about your data which might help us suggest a more meaningful solution?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...