Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Custom Splunk query

Ash1
Communicator
‎03-16-2024 03:03 PM 
|mstats sum(faliure.count) as Failed where index=metric-logs by service application_codes

Form the above query i am getting the results of service and application_codes.

But my requirement is to get the application_codes from a csv file and  from only type=error1

below is the csv file

application_codesDescriptionType
0error descp 1error1
10error descp 2error2
10870error descp 3error3
1206error descp 1error1
11error descp 3error3
17error descp 2error2
18error descp 1error1
14error descp 2error2
1729error descp 1error1

 

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-16-2024 06:12 PM

For this problem, using the lookup in subsearch is more direct and potentially more efficient.

|mstats sum(faliure.count) as Failed where index=metric-logs by service application_codes
| search type = error1
  [inputlookup app.csv]

 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-16-2024 03:13 PM

Try lookup of application_codes in csv and then filter by type

0 Karma
Reply

Ash1
Communicator
‎03-16-2024 03:21 PM 
|mstats sum(faliure.count) as Failed where index=metric-logs by service application_codes
|lookup app.csv  application_codes

when i run the above query i am getting application_codes from mstats query not from csv file

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-16-2024 03:44 PM

Please can you give an example of your expected results?

0 Karma
Reply

Ash1
Communicator
‎03-16-2024 04:50 PM
application_codes
0
1206
18
1729

 

i want to see only the above application codes, that is from csv file only.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-17-2024 03:39 AM

If you just want the application codes, why are you doing the mstats?

| inputlookup app.csv
| where Type="error1"
| table application_codes
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...