Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count for all hosts from lookup?

Skysurfer
Explorer
‎04-17-2023 01:23 AM

I have a query that I am using to get the count of events

index=system source=/var/log/syslog/* | rex field=source "(?<host_name>[^\"]*)" | stats count by host_name

Now have a lookup file hf_lookup.csv where there is column as hf_name. This hf_name is the host_name from the above query. I want to get the count against each value of hf_name. Even if the count is 0 for a hf_name, it should be displayed as 0.

Tried using inputlookup with left join and "fillnull value=0 count" but either I am only getting count=>1 or for the hosts that are not in hf_lookup.csv.

Labels (2)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-18-2023 11:18 AM

index=system source=/var/log/syslog/*
| rex field=source "(?<hf_name>[^\"]*)"
| stats count by hf_name
| eval which = "data"
| inputlookup append=t hf_lookup.csv
| eval which = coalesce(which, "lookup")
| eval count = coalesce(count, "0")
| stats values(which) AS whiches dc(which) AS whichCount first(count) AS count BY hf_name
| rename hf_name AS host_name

Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-17-2023 04:02 AM

So, are you saying that if you find hostname=A and hostname=B with counts 10 and 20 in your search and your lookup file contains hosts A, B and C, you want to see

A=10, B=20, C=0

If so, after your existing search do

| append [
  | inputlookup hf_lookup.csv
  | eval count=0
  | rename hf_name as host_name
]
| stats max(count) as count by hostname
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...