Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Custom Splunk query

Ash1
Communicator
‎03-16-2024 03:03 PM 
|mstats sum(faliure.count) as Failed where index=metric-logs by service application_codes

Form the above query i am getting the results of service and application_codes.

But my requirement is to get the application_codes from a csv file and  from only type=error1

below is the csv file

application_codesDescriptionType
0error descp 1error1
10error descp 2error2
10870error descp 3error3
1206error descp 1error1
11error descp 3error3
17error descp 2error2
18error descp 1error1
14error descp 2error2
1729error descp 1error1

 

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-16-2024 06:12 PM

For this problem, using the lookup in subsearch is more direct and potentially more efficient.

|mstats sum(faliure.count) as Failed where index=metric-logs by service application_codes
| search type = error1
  [inputlookup app.csv]

 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-16-2024 03:13 PM

Try lookup of application_codes in csv and then filter by type

0 Karma
Reply

Ash1
Communicator
‎03-16-2024 03:21 PM 
|mstats sum(faliure.count) as Failed where index=metric-logs by service application_codes
|lookup app.csv  application_codes

when i run the above query i am getting application_codes from mstats query not from csv file

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-16-2024 03:44 PM

Please can you give an example of your expected results?

0 Karma
Reply

Ash1
Communicator
‎03-16-2024 04:50 PM
application_codes
0
1206
18
1729

 

i want to see only the above application codes, that is from csv file only.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-17-2024 03:39 AM

If you just want the application codes, why are you doing the mstats?

| inputlookup app.csv
| where Type="error1"
| table application_codes
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...