Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit an inputlookup search that returns...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TheJagoff
Communicator
12-06-2016
08:12 AM
Hello (again),
I have a lookup table that has 17 fields in it and 200 total records, but of interest to me is a table named "pub_table" that I want to match against records in my index=prod sourcetype=stats table_name field - which has about 1500 unique table_name entries.
When I perform the following
|inputlookup assets_mapping_flow.csv| sort pub_table|table pub_table
the data I receive is along the lines of (I'm masking the data):
flow_01
flow_02
flow_03
...
flow_200
When I do the following search for my report:
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv |return 200 $pub_table] | stats dc(table_name) by table_name
this is what I receive on the report
flow_1
flow_1a
flow_1a_test
flow_2
flow_2a
I only want to see flow_1, flow_2, flow_3 and so on, so it appears that I'm getting anything that contains those expressions.
Question - how do I correct this?
Many thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
12-06-2016
08:20 AM
try something like:
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |return 200 table_name] | stats dc(table_name) by table_name
or
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |table table_name|format] | stats dc(table_name) by table_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
12-06-2016
08:20 AM
try something like:
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |return 200 table_name] | stats dc(table_name) by table_name
or
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |table table_name|format] | stats dc(table_name) by table_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TheJagoff
Communicator
12-06-2016
08:28 AM
Yes works great, going with the first option for my case.
Thank you!
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
