Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to include all rows from a lookup?

yma8000
New Member
‎07-28-2016 06:29 PM

Hi folks, newbee here, I'm trying to do this:

| stats values(duration) as DaysSinceLastAccess, count(duration) as Actual by duration
| join DaysSinceLastAccess [| inputlookup static_lookup.csv]

The problem is that the join only join on the values up to the max value i have from my real data. e.g. DaysSinceLastAccess is 22 days, but in the lookup, DaysSinceLastAccess goes up to 180

I wish to return all rows from lookup, I guess I could append the missing days to values(duration)?

Thanks

Tags (1)
0 Karma
Reply

sundareshr
Legend
‎07-29-2016 05:14 AM

Try this

... | stats count as Actual by duration | rename duration AS DaysSinceLastAccess | append [| inputlookup static_lookup.csv ] | stats max(count) as Actual by DaysSinceLastAccess
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...