Solved: How to display search with multiple lookup? [SOLVE...

brad_ · ‎07-05-2022

Hello
I have several lookups and I would like to display the details on a date range but I can't really do it
I have tried several combinations but either I display the last one or I display too many elements
As a bonus if I could have the total it would be cool

| inputlookup file1.csv
| append
    [| inputlookup file2.csv]
| append
    [| inputlookup file3.csv]
| append
    [| inputlookup file4.csv]
| append
    [| inputlookup file5.csv]
| append
    [| inputlookup file6.csv]
| sort - _time
| eval date = strftime(_time,"%Y-%m-%d")
| search date>2022-07-01 AND date<2022-07-04
| transpose 6
| sort - column
| search column=date OR column=count
| fields - column
| rename "row 1" as "name1", "row 2" as "name2", "row 3" as "name3", "row 4" as "name4", "row 5" as "name5", "row 6" as "name6"

ITWhisperer · ‎07-05-2022

| inputlookup file1.csv
| rename count as file1
| append
    [| inputlookup file2.csv
    | rename count as file2]
| append
    [| inputlookup file3.csv
    | rename count as file3]
| append
    [| inputlookup file4.csv
    | rename count as file4]
| append
    [| inputlookup file5.csv
    | rename count as file5]
| append
    [| inputlookup file6.csv
    | rename count as file6]
| stats values(*) as * by _time
| addtotals col=t row=f label=Total labelfield=_time

View solution in original post

brad_ · ‎07-12-2022

Thx for your help

ITWhisperer · ‎07-05-2022

It is not clear what you are trying to achieve - can you share some of the events (contents of csv files) and what your expected output would be

Having said that, you might want to use where command rather than search and use unformatted epoch times

| where _time > strptime("2022-07-01","%Y-%m-%d") AND _time < strptime("2022-07-04","%Y-%m-%d")
| transpose 6
| sort - column
| where column="_time" OR column="count"

brad_ · ‎07-05-2022

Hello sorry to be unclear
all lookup have the same model see below

I need to display the items per line for each date of the range see the result file

Date	file1	file2	file3	file4	file5	file
04/07/2022	235	235	366	4554	56	83
05/07/2022	210	300	125	12011	15	13
06/07/2022	185	365	116	19468	26	57
07/07/2022	160	430	357	26925	67	127
08/07/2022	135	495	598	34382	108	198
Total	925	1825	1562	97340	272	478

I hope that it is clearer
Thx

ITWhisperer · ‎07-05-2022

| inputlookup file1.csv
| rename count as file1
| append
    [| inputlookup file2.csv
    | rename count as file2]
| append
    [| inputlookup file3.csv
    | rename count as file3]
| append
    [| inputlookup file4.csv
    | rename count as file4]
| append
    [| inputlookup file5.csv
    | rename count as file5]
| append
    [| inputlookup file6.csv
    | rename count as file6]
| stats values(*) as * by _time
| addtotals col=t row=f label=Total labelfield=_time

How to display search with multiple lookup? [SOLVED]

lookup

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!