Splunk Search

How to display limited results from a field

MikeB
Path Finder

I have a field named failcode with numerous fail code names structured like this:

datefailcodecount
2021-10-01g-ab123
2021-10-01g-bc258
2021-10-01g-cd369
2021-10-01c-ab456
2021-10-01c-bc124
2021-10-01c-cd325
2021-10-01d-ab854
2021-10-01d-bc962
2021-10-01d-cd362
2021-10-01d-dd851
2021-10-02g-ab963
2021-10-02g-bc101
2021-10-02g-cd171
2021-10-02c-ab320
2021-10-02c-bc214
2021-10-02c-cd985
2021-10-02d-ab165
2021-10-02d-bc130
2021-10-02d-cd892
2021-10-02d-dd964
2021-10-03g-ab653
2021-10-03g-bc285
2021-10-03g-cd634
2021-10-03c-ab689
2021-10-03c-bc752
2021-10-03c-cd452
2021-10-03d-ab365
2021-10-03d-bc125
2021-10-03d-cd691
2021-10-03d-dd354

 

I want to only keep certain codes: g-ab, c-cd, and d-dd and not display the rest in my results. Essentially I just want to display certain results from my failcode column. 

Labels (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

To filter your results, use the search or where command.

... | search failcode IN ("g-ab", "c-cd", "d-dd")
... | where IN(failcode, "g-ab", "c-cd", "d-dd")

For better performance put the IN option from the search command above in the base search.

index=foo failcode IN ("g-ab", "c-cd", "d-dd")
| ...

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

To filter your results, use the search or where command.

... | search failcode IN ("g-ab", "c-cd", "d-dd")
... | where IN(failcode, "g-ab", "c-cd", "d-dd")

For better performance put the IN option from the search command above in the base search.

index=foo failcode IN ("g-ab", "c-cd", "d-dd")
| ...

 

---
If this reply helps you, an upvote would be appreciated.

MikeB
Path Finder

Would this method also work with a search that is using a lookup table? I tried using the below but didn't come up with any results. Would this not work with a lookup table? 

| inputlookup myfile.csv
| where IN(failcode, "g-ab", "c-cd", "d-dd")
| ...

 

0 Karma

nmohammed
Contributor

@MikeB 

inputlookup can be used to fetch results. 

| inputlookup myfile.csv 
| where failcode IN ("g-ab", "c-cd", "d-dd")

MikeB
Path Finder

Hmmm, I still cannot get any results to display. Is there something specific I should use after that such as using "fields" instead of "table" to display my results? 

Tags (4)
0 Karma

nmohammed
Contributor

are you able to see the contents of the lookup file created ? run the following command

| inputlookup myfile.csv

 

MikeB
Path Finder

Yes, I'm able to see the entire contents of my lookup file. The file is structured as follows:

_time, failcode, source, failcount

0 Karma

nmohammed
Contributor

It should work, I tried it out with csv file you shared. 

It can either be permissions (but you're able to see contents of lookup using inputlookup). 

Check the fieldnames (case-sensitive) & also spell-check

Try another way (replace with your filename) - 

| inputlookup answers-571716.csv
| where failcode="g-ab" OR failcode="c-cd" OR failcode="d-dd"

 

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...