Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count with inputlookup?

thanhnv244
New Member
‎05-22-2019 12:52 AM

Hi, I have a search that I have been struggle for a few days.

I have an index that contains two fields: type and Total_Count
I have another CSV that contains similar fields: stype and sTotal_Count

Now the index may have many row with same type and difference Total_Count, same on the CSV

Purpose of the search is: for each row in index, find out how many row in CSV that have stype is equal type, and sTotal_Count is greater than Total_Count, then append the count to the table along side with type and Total_Count

So I have test this inputlookup on CSV and it work fine

| inputlookup typeA.csv where stype="A01" and sTotal_Count > 30 | stats count

Then I would do something like this

index="ktme_v7_measurement"
| join
[|inputlookup typeA.csv where stype=type and sTotal_Count > Total_Count | stats count as type_c]
| table type Total_Count type_c

But the type_c column is always 0

Then I found this question, he had same problem with me on passing field into subsearch

answers/85076/passing-parent-data-into-subsearch.html

but the answer was

an outer search cannot pass values into a subsearch

And now I'm stuck, I'm very new to Splunk so I can not figure out how to do my search here.

Please help me, many thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎05-22-2019 06:32 AM

This requires getting creative with eventstats and multivalue functions.

index="ktme_v7_measurement" 
| table type Total_Count
| streamstats count as rownum 
| append 
    [|inputlookup typeA.csv | rename stype as type | table stype sTotal_Count ] 
| eventstats list(sTotal_Count) as cvalues by type 
| search Total_Count=* 
| mvexpand cvalues 
| where cvalues>Total_Count 
| stats count by type,Total_Count,rownum 
| table type,Total_Count,count

This gets the data from the index, keeps the 2 relevant columns and gives each row a unique number. This way the search also works when there are duplicate (type,Total_Count) entries in the index. It then adds the data from the lookup, renaming the stype field to type and again keeping only the relevant columns. It then lists all sTotal_Count values found for the same type. It then drops the rows originating from the lookup. It expands the multivalue field and then filters rows where the cvalue is greater than the Total_Count and then counts the entries by type,Total_count,rownum and finally drops the rownum and cvalues columns.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎05-22-2019 06:32 AM

This requires getting creative with eventstats and multivalue functions.

index="ktme_v7_measurement" 
| table type Total_Count
| streamstats count as rownum 
| append 
    [|inputlookup typeA.csv | rename stype as type | table stype sTotal_Count ] 
| eventstats list(sTotal_Count) as cvalues by type 
| search Total_Count=* 
| mvexpand cvalues 
| where cvalues>Total_Count 
| stats count by type,Total_Count,rownum 
| table type,Total_Count,count

This gets the data from the index, keeps the 2 relevant columns and gives each row a unique number. This way the search also works when there are duplicate (type,Total_Count) entries in the index. It then adds the data from the lookup, renaming the stype field to type and again keeping only the relevant columns. It then lists all sTotal_Count values found for the same type. It then drops the rows originating from the lookup. It expands the multivalue field and then filters rows where the cvalue is greater than the Total_Count and then counts the entries by type,Total_count,rownum and finally drops the rownum and cvalues columns.

0 Karma
Reply
Solved! Jump to solution

thanhnv244
New Member
‎05-22-2019 05:18 PM

Thank you very much, I think the result is perfect for me. The query seem overwhelming, I need to study it more.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎05-23-2019 01:10 AM

Feel free to drop a comment if you need further explanation. A good way to understand what it does, is just execute it step by step (possibly adding some filtering to reduce the number of rows, so it is easier to see what happens in each step).

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...