Splunk Search

How to get a stats count against the sourcetype from lookup table while listing all other fields?

Engager

I have a lookup table that consists of 5 fields (index, sourcetype, description, owner, os). I would like to perform a stats count against the sourcetype, while listing all the other fields in the lookup table. However, I cannot figure out how to search against my data to populate the stats count by sourcetype. Below is the search I have created.

|inputlookup Sourctype.csv|fields + index, sourcetype, desc, owner, os|stats count by sourcetype, index, desc, os
Tags (3)
0 Karma

Revered Legend

I believe you need something like this

 |inputlookup Sourctype.csv|fields + index, sourcetype, desc, owner, os|eventstats count by sourcetype

THis will just a new columns count with count based on sourcetype, keeping all rows together.

0 Karma

Esteemed Legend

Like this:

|inputlookup Sourctype.csv |stats values(*) BY sourcetype | appendcols [|inputlookup Sourctype.csv |stats dc(sourcetype)]
0 Karma

Esteemed Legend

I am not exactly sure what you are trying to get but maybe like this:

| inputlookup Sourctype.csv | stats count values(*) BY sourcetype

This counts the number of lines that contain each sourcetype and lists the values of the other fields, too.

0 Karma

Engager

Thanks Woodcock for your response.

Unfortunately I'm only getting a count for the first row , as a opposed to each row.

How would I go about getting a stats count for each row as well?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!