Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to loop through results of a main inputloo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
erwin_pader_1dc
New Member
10-26-2016
08:26 AM
hi,
i have a main search-
|inputlookup wlaa_hosts.csv | eval Host=split(HostList,",") | stats count by Host
that results with-
Host count
host1 1
host2 1
host3 1
i have another lookup that looks like-
MetricID AlertMsg
response_time resp time > 10
error_count error > 20
i want to loop through each of the host and attach it to every row in the child lookup, so that the result looks like-
Host MetricID AlertMsg
host1 response_time resp time > 10
host1 error_count error > 20
host2 response_time resp time > 10
host2 error_count error > 20
final step is to output each row to a KV Store lookup
i tried using the map command but it did not give me the desired result. appreciate very much for any help. thnx
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-26-2016
09:21 AM
Try like this
|inputlookup wlaa_hosts.csv | eval Host=split(HostList,",") | stats count by Host | join max=50 [| inputlookup secondlookup.csv | table MetricID AlertMsg ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-26-2016
09:21 AM
Try like this
|inputlookup wlaa_hosts.csv | eval Host=split(HostList,",") | stats count by Host | join max=50 [| inputlookup secondlookup.csv | table MetricID AlertMsg ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-26-2016
09:21 AM
Try this
| inputlookup wlaa_hosts.csv | eval Host=split(HostList,",") | stats count by Host | inputlookup append=t secondfile.csv | fillnull Host value="settings" | eventstats values(if(eval(host="settings", MetricID, null()))) as MetricID values(if(eval(host="settings", AlertMsg, null()))) as AlertMsg by host | where Host!="settings" | eval z=mvzip(MetricID, AlertMsg, "#") | mvexpand z | rex field=z "(?<MetricID>[^#]+)#(?<AlertMsg>.+)" | fields - z
Get Updates on the Splunk Community!
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Feel the Splunk Love: Real Stories from Real Customers
Hello Splunk Community,
What’s the best part of hearing how our customers use Splunk? Easy: the positive ...
Data Management Digest – November 2025
Welcome to the inaugural edition of Data Management Digest!
As your trusted partner in data innovation, the ...
