Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search to compare  all my products from my lookup, if they are "price tagged" or not?

zacksoft_wf
Contributor
‎06-13-2022 04:31 AM

I have a list of products  (that i have in a csv lookup) with fields such as
prod_name, product_ID, price_tag
look up name : myproduct.csv

I want to compare  all my products from my lookup, if they are "price tagged" or not ?  
I have an index and sourcetype that contains events of all the products that are "price tagged."
index=all sourceype=all_price_tagged_poducts
Fields : prod_ID (same as product_ID of the lookup)

If the product_ID value from my lookup is present in any of the events in the sourcetype=all_price_tagged_poduct, then I know that all products in my .csv lookup are 'price tagged' 

Need help to write a query for it.


Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 04:54 AM

Hi @zacksoft_wf,

only one question: the products to check are more or less than 50,000?

Supponing that they are less than 50,000, you could use a search like this:

| inputlookup myproduct.cs
| search [ search index=all sourceype=all_price_tagged_poducts | fields prod_ID ]
| table prod_name, product_ID

in this way you have all the prod_name of the lookup present in the index.

If instead you want a status (taggen/not tagged), you should follow a different approach:

index=all sourceype=all_price_tagged_poducts
| append [| inputlookup myproduct.csv | rename product_ID AS prod_ID | fields prod_ID prod_name price_tag ]
| stats dc(index) AS dc_index values(prod_name) AS prod_name values(price_tag9 AS price_tag BY prod_ID 
| eval status=icase(dc_index="1" AND price_tag="*","Both index and lookup", dc_index="1" AND NOT price_tag="*","Only index",dc_index="0","Only lookup")
| table prod_ID prod_name price_tag status

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 04:54 AM

Hi @zacksoft_wf,

only one question: the products to check are more or less than 50,000?

Supponing that they are less than 50,000, you could use a search like this:

| inputlookup myproduct.cs
| search [ search index=all sourceype=all_price_tagged_poducts | fields prod_ID ]
| table prod_name, product_ID

in this way you have all the prod_name of the lookup present in the index.

If instead you want a status (taggen/not tagged), you should follow a different approach:

index=all sourceype=all_price_tagged_poducts
| append [| inputlookup myproduct.csv | rename product_ID AS prod_ID | fields prod_ID prod_name price_tag ]
| stats dc(index) AS dc_index values(prod_name) AS prod_name values(price_tag9 AS price_tag BY prod_ID 
| eval status=icase(dc_index="1" AND price_tag="*","Both index and lookup", dc_index="1" AND NOT price_tag="*","Only index",dc_index="0","Only lookup")
| table prod_ID prod_name price_tag status

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-14-2022 04:04 AM

Hi @zacksoft_wf

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...