Re: How to create a search to combine inputlookup ...

doniv · ‎05-04-2022

Hi,

I want to compare the count of calls obtained in a day with the target in lookup csv,

for example:

input csv:

header: label hr1, hr2,hr3,......hr24

row1: LA, 1,2,1,5.....6

search: date hour:

index=foo | stats count by Label date hour

output: LA, 0,0,0,...5

Expected output:

	count(from lookup file)	count(from search)	Passed
LA	1	1	pass
OA	2	1	fail

Can someone me in writing the code combining search and input lookup?

doniv · ‎05-05-2022

| lookup lookup.csv Label Hour is not showing any results...am i missing anything?

But |inpulookup lokup.csv display the content of csv

ITWhisperer · ‎05-05-2022

Possibly field name mismatches? (Fieldnames are case-sensitive)

Possibly field contents mismatch? (Lookups are usually set up as exact matches)

doniv · ‎05-04-2022

I can manage to bring it for hourly basic, if i can able to do it for aggregated way..

Count of LA in inputlookup is 1 it should match with the search else it is fail

ITWhisperer · ‎05-04-2022

This is still not clear what you are trying to do

If you can change your lookup so it is like this:

Label	Hour	LookupCount
LA	1	1
LA	2	3
etc.

Then you can do

| stats count by Label Hour
| lookup lookup.csv Label Hour
| eval Passed=if(count==LookupCount,"pass","fail")

ITWhisperer · ‎05-04-2022

Your expected output no longer has date or hour - is the hour no longer important?

Your csv appears to have columns for label and each hour but your search stats command will return columns with label, date, hour and count - are you able to rework your csv so it matches your search?

doniv · ‎05-04-2022

I will work on the recommends suggested today and let you know

How to create a search to combine inputlookup and search?

lookup

subsearch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?