Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a search to combine inputlookup and search?

doniv
Loves-to-Learn Lots
‎05-04-2022 03:43 AM

Hi,

I want to compare the count of calls obtained in a day with the target in lookup csv,

for example:

input csv:

header: label hr1, hr2,hr3,......hr24

row1: LA, 1,2,1,5.....6

search: date hour:

index=foo | stats count by Label date hour

output: LA, 0,0,0,...5

 

Expected output:

  count(from lookup file) count(from search) Passed
LA 1 1 pass
OA 2 1 fail

Can someone me in writing the code combining search and input lookup?

 

Labels (2)
Labels
0 Karma
Reply

doniv
Loves-to-Learn Lots
‎05-05-2022 03:13 AM

| lookup lookup.csv Label Hour is not showing any results...am i missing anything?

But |inpulookup lokup.csv display the content of csv

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2022 03:20 AM

Possibly field name mismatches? (Fieldnames are case-sensitive)

Possibly field contents mismatch? (Lookups are usually set up as exact matches)

0 Karma
Reply

doniv
Loves-to-Learn Lots
‎05-04-2022 04:30 AM

I can manage to bring it for hourly basic, if i can able to do it for aggregated way..

Count of LA in inputlookup is 1 it should match with the search else it is fail

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-04-2022 05:06 AM

This is still not clear what you are trying to do

If you can change your lookup so it is like this:

LabelHourLookupCount
LA11
LA23
etc.  

Then you can do

| stats count by Label Hour
| lookup lookup.csv Label Hour
| eval Passed=if(count==LookupCount,"pass","fail")
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-04-2022 04:10 AM

Your expected output no longer has date or hour - is the hour no longer important?

Your csv appears to have columns for label and each hour but your search stats command will return columns with label, date, hour and count - are you able to rework your csv so it matches your search?

0 Karma
Reply

doniv
Loves-to-Learn Lots
‎05-04-2022 09:03 PM

I will work on the recommends suggested today and let you know

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...