Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine tstats with inputlookup?

nmohammed
Builder
‎06-29-2016 10:57 AM

I am trying to produce report to get total usage based on time and clientid from a lookup.

Here is the regular tstats search:

| tstats count FROM datamodel=Enc groupby  _time span=1d, Enc.clientid

The above search gives results for all the clientids in the particular index, but I need results for only a list of clientids which is in the DC-Clients.csv

I tried the following, but doesn't produce any results:

| tstats count FROM datamodel=Enc groupby  _time span=1d, Enc.clientid | search [| inputlookup DC-Clients.csv | fields + clientid]

Example contents of DC-Clients.csv

Actual Clientid,clientid
018587,018587
033839,033839

I need to filter results to produce a report for only the clientids in the CSV file. Any suggestions appreciated.

Thanks..!!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nmohammed
Builder
‎06-29-2016 03:00 PM

Was able to get the desired results.

First I changed the field name in the DC-Clients.csv lookup file from clientid to Enc.clientid and saved it. So the new DC-Clients.csv file contents look like this:

contents of DC-Clients.csv

Actual Clientid,Enc.clientid
018587,018587
033839,033839

Then the in the search, I used the field Enc.clientid that matches the field in the data model as follows ...

New search:

 | tstats count FROM datamodel=Enc groupby  _time span=1d, Enc.clientid | search [| inputlookup DC-Clients.csv | fields + Enc.clientid]

tstats produces results much faster than the original search I was using.

Thanks..!!!

View solution in original post

Reply
Solved! Jump to solution

my2ndhead
SplunkTrust
SplunkTrust
‎08-31-2017 12:39 PM

A faster variant would be to add the filter directly into the tstats command:

| tstats count FROM datamodel=Enc where [ | inputlookup DC-Clients.csv | fields + Enc.clientid ]  groupby  _time span=1d, Enc.clientid  by host
Reply
Solved! Jump to solution
Solution

nmohammed
Builder
‎06-29-2016 03:00 PM

Was able to get the desired results.

First I changed the field name in the DC-Clients.csv lookup file from clientid to Enc.clientid and saved it. So the new DC-Clients.csv file contents look like this:

contents of DC-Clients.csv

Actual Clientid,Enc.clientid
018587,018587
033839,033839

Then the in the search, I used the field Enc.clientid that matches the field in the data model as follows ...

New search:

 | tstats count FROM datamodel=Enc groupby  _time span=1d, Enc.clientid | search [| inputlookup DC-Clients.csv | fields + Enc.clientid]

tstats produces results much faster than the original search I was using.

Thanks..!!!

Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...