Splunk Search

How to edit an inputlookup search that returns more results than expected?

TheJagoff
Communicator

Hello (again),

I have a lookup table that has 17 fields in it and 200 total records, but of interest to me is a table named "pub_table" that I want to match against records in my index=prod sourcetype=stats table_name field - which has about 1500 unique table_name entries.

When I perform the following

|inputlookup assets_mapping_flow.csv| sort pub_table|table pub_table       

the data I receive is along the lines of (I'm masking the data):

flow_01
flow_02
flow_03
...
flow_200

When I do the following search for my report:

index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv |return 200 $pub_table] | stats dc(table_name) by table_name

this is what I receive on the report

flow_1
flow_1a
flow_1a_test
flow_2
flow_2a

I only want to see flow_1, flow_2, flow_3 and so on, so it appears that I'm getting anything that contains those expressions.

Question - how do I correct this?

Many thanks.

0 Karma
1 Solution

cmerriman
Super Champion

try something like:

index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |return 200 table_name] | stats dc(table_name) by table_name

or

index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |table table_name|format] | stats dc(table_name) by table_name

View solution in original post

cmerriman
Super Champion

try something like:

index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |return 200 table_name] | stats dc(table_name) by table_name

or

index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |table table_name|format] | stats dc(table_name) by table_name

TheJagoff
Communicator

Yes works great, going with the first option for my case.

Thank you!

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...