Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search to compare  all my products from my lookup, if they are "price tagged" or not?

zacksoft_wf
Contributor
‎06-13-2022 04:31 AM

I have a list of products  (that i have in a csv lookup) with fields such as
prod_name, product_ID, price_tag
look up name : myproduct.csv

I want to compare  all my products from my lookup, if they are "price tagged" or not ?  
I have an index and sourcetype that contains events of all the products that are "price tagged."
index=all sourceype=all_price_tagged_poducts
Fields : prod_ID (same as product_ID of the lookup)

If the product_ID value from my lookup is present in any of the events in the sourcetype=all_price_tagged_poduct, then I know that all products in my .csv lookup are 'price tagged' 

Need help to write a query for it.


Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 04:54 AM

Hi @zacksoft_wf,

only one question: the products to check are more or less than 50,000?

Supponing that they are less than 50,000, you could use a search like this:

| inputlookup myproduct.cs
| search [ search index=all sourceype=all_price_tagged_poducts | fields prod_ID ]
| table prod_name, product_ID

in this way you have all the prod_name of the lookup present in the index.

If instead you want a status (taggen/not tagged), you should follow a different approach:

index=all sourceype=all_price_tagged_poducts
| append [| inputlookup myproduct.csv | rename product_ID AS prod_ID | fields prod_ID prod_name price_tag ]
| stats dc(index) AS dc_index values(prod_name) AS prod_name values(price_tag9 AS price_tag BY prod_ID 
| eval status=icase(dc_index="1" AND price_tag="*","Both index and lookup", dc_index="1" AND NOT price_tag="*","Only index",dc_index="0","Only lookup")
| table prod_ID prod_name price_tag status

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 04:54 AM

Hi @zacksoft_wf,

only one question: the products to check are more or less than 50,000?

Supponing that they are less than 50,000, you could use a search like this:

| inputlookup myproduct.cs
| search [ search index=all sourceype=all_price_tagged_poducts | fields prod_ID ]
| table prod_name, product_ID

in this way you have all the prod_name of the lookup present in the index.

If instead you want a status (taggen/not tagged), you should follow a different approach:

index=all sourceype=all_price_tagged_poducts
| append [| inputlookup myproduct.csv | rename product_ID AS prod_ID | fields prod_ID prod_name price_tag ]
| stats dc(index) AS dc_index values(prod_name) AS prod_name values(price_tag9 AS price_tag BY prod_ID 
| eval status=icase(dc_index="1" AND price_tag="*","Both index and lookup", dc_index="1" AND NOT price_tag="*","Only index",dc_index="0","Only lookup")
| table prod_ID prod_name price_tag status

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-14-2022 04:04 AM

Hi @zacksoft_wf

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...