Splunk Search

How to display limited results from a field

MikeB
Path Finder

I have a field named failcode with numerous fail code names structured like this:

datefailcodecount
2021-10-01g-ab123
2021-10-01g-bc258
2021-10-01g-cd369
2021-10-01c-ab456
2021-10-01c-bc124
2021-10-01c-cd325
2021-10-01d-ab854
2021-10-01d-bc962
2021-10-01d-cd362
2021-10-01d-dd851
2021-10-02g-ab963
2021-10-02g-bc101
2021-10-02g-cd171
2021-10-02c-ab320
2021-10-02c-bc214
2021-10-02c-cd985
2021-10-02d-ab165
2021-10-02d-bc130
2021-10-02d-cd892
2021-10-02d-dd964
2021-10-03g-ab653
2021-10-03g-bc285
2021-10-03g-cd634
2021-10-03c-ab689
2021-10-03c-bc752
2021-10-03c-cd452
2021-10-03d-ab365
2021-10-03d-bc125
2021-10-03d-cd691
2021-10-03d-dd354

 

I want to only keep certain codes: g-ab, c-cd, and d-dd and not display the rest in my results. Essentially I just want to display certain results from my failcode column. 

Labels (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

To filter your results, use the search or where command.

... | search failcode IN ("g-ab", "c-cd", "d-dd")
... | where IN(failcode, "g-ab", "c-cd", "d-dd")

For better performance put the IN option from the search command above in the base search.

index=foo failcode IN ("g-ab", "c-cd", "d-dd")
| ...

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

To filter your results, use the search or where command.

... | search failcode IN ("g-ab", "c-cd", "d-dd")
... | where IN(failcode, "g-ab", "c-cd", "d-dd")

For better performance put the IN option from the search command above in the base search.

index=foo failcode IN ("g-ab", "c-cd", "d-dd")
| ...

 

---
If this reply helps you, Karma would be appreciated.

MikeB
Path Finder

Would this method also work with a search that is using a lookup table? I tried using the below but didn't come up with any results. Would this not work with a lookup table? 

| inputlookup myfile.csv
| where IN(failcode, "g-ab", "c-cd", "d-dd")
| ...

 

0 Karma

nmohammed
Contributor

@MikeB 

inputlookup can be used to fetch results. 

| inputlookup myfile.csv 
| where failcode IN ("g-ab", "c-cd", "d-dd")

MikeB
Path Finder

Hmmm, I still cannot get any results to display. Is there something specific I should use after that such as using "fields" instead of "table" to display my results? 

Tags (4)
0 Karma

nmohammed
Contributor

are you able to see the contents of the lookup file created ? run the following command

| inputlookup myfile.csv

 

MikeB
Path Finder

Yes, I'm able to see the entire contents of my lookup file. The file is structured as follows:

_time, failcode, source, failcount

0 Karma

nmohammed
Contributor

It should work, I tried it out with csv file you shared. 

It can either be permissions (but you're able to see contents of lookup using inputlookup). 

Check the fieldnames (case-sensitive) & also spell-check

Try another way (replace with your filename) - 

| inputlookup answers-571716.csv
| where failcode="g-ab" OR failcode="c-cd" OR failcode="d-dd"

 

Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...