Hi Guys,
I have a requirement like this. In a search I am getting a field like
ExtraInfo Count
User-Gmail-GoogleChrome 6
Inbox-Yahoo! Mail 3
.....
In another I have keywords like Gmail,Yahoo! Mail,...etc.
I want to write a query which gives me the output like this.
Keyword Count
Gmail 6
Yahoo! Mail 3
Could you please help me in this regard?
Try this
<first search giving fields ExtraInfo,Count> | fields ExtraInfo, Count | eval joinfield=1
| join type=left max=0 joinfield [search <second search giving fields Keyword> | fields Keyword | eval joinfield=1] | eval shouldInclude=if(like(ExtraInfo,"%".Keyword."%"),"Yes","No") | where shouldInclude="Yes" | fields Keyword, Count
I could think of this. But can I manage this big case statement(this case statement may grow) like an event-type or something else in my splunk?
Configuration of the Lookup table files and Lookup definitions are required.
.....|join ExtraInfo[ | inputlookup lookup_tbl]|table Keyword,Count
ExtraInfo,Keyword
"User-Gmail-GoogleChrome","Gmail"
"User-Gmail-GoogleChromeXXX","Gmail"
"User-Gmail-GoogleChromeYYY","Gmail"
"Inbox-Yahoo! Mail","Yahoo! Mail"
"Inbox-Yahoo! MailXXX","Yahoo! Mail"
"Inbox-Yahoo! MailYYY","Yahoo! Mail"
Custom field cannot be edited without a LOOKUP?
....|rex field=ExtraInfo "-(?
Gmail-GoogleChrome
Yahoo! Mail
Can I place only keywords in lookup table instead of both ExtraInfo and Keyword?