Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Bump a List with Data in Splunk to Get a Match

_gkollias
Builder
‎12-15-2014 02:01 PM

Hi All,

I have a list of invoice numbers that I want to try and find data for in Splunk. I added the list in a CSV but am having trouble getting other values in Splunk related to those InvoiceNumbers.

Here is where I have left off:

index=contract_gateway sourcetype=esb_audit bp_bp_name=Invoice 
| join type=outer InvoiceNumber [ | inputlookup ctg_invoice_check_lookup.csv | table InvoiceNumber ]

Along with this list I want to find other fields being logged (if they have even logged initally)...something like:

...| stats first(InvoiceNumber) as InvoiceNumber, latest(status) as exit_status, latest(other) as exit_message by bp_context_id

is there a way to "append" these values with the list of invoice numbers in Splunk if they are being logged?

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-15-2014 02:59 PM

Try it this way instead for your first search:

index=contract_gateway sourcetype=esb_audit bp_bp_name=Invoice [ | inputlookup ctg_invoice_check_lookup.csv 
 | table InvoiceNumber ]

This will retrieve the events with the InvoiceNumber(s) in the lookup table. I am unclear about the second part of your question, but you could try this:

... | stats first(InvoiceNumber) as InvoiceNumber, latest(status) as exit_status, latest(other) as exit_message 
       values(InvoiceNumber) as AllInvoices by bp_context_id

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-15-2014 02:59 PM

Try it this way instead for your first search:

index=contract_gateway sourcetype=esb_audit bp_bp_name=Invoice [ | inputlookup ctg_invoice_check_lookup.csv 
 | table InvoiceNumber ]

This will retrieve the events with the InvoiceNumber(s) in the lookup table. I am unclear about the second part of your question, but you could try this:

... | stats first(InvoiceNumber) as InvoiceNumber, latest(status) as exit_status, latest(other) as exit_message 
       values(InvoiceNumber) as AllInvoices by bp_context_id
Reply
Solved! Jump to solution

_gkollias
Builder
‎01-13-2015 05:52 AM

sorry for the late response on this.

This is exactly what I did - thanks for your response!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...