Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return 0 count of events from a lookup file?

Hithere
Engager
‎03-14-2022 08:45 AM

I'm trying to match all domains from a lookup file with a base search and get a count of the events for each one even if there are no events matching (0 count):

mysite.com  count 12
anothersite.com count 5
myothersite.com count 0

 

 

 

 

index=application sourcetype=mysource
| lookup myfile.csv Domain as <corelated event field>
| append [ | inputlookup myfile.csv | fields Domain]
| stats count as total by Domain
| fillnull value=0 total
| table total
| sort -total

 

 

 

 

If you can, please explain your answer - whether there is a syntax error, a keyword misuse, or conceptual error on my part. 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-14-2022 09:57 AM

Hi @Hithere,

I was confused with another question, my answer is to have the domains with no logs.

If you want all the domains with status, you could use something like this:

index=application WAFRuleMessage="Anomaly Exceeded" 
| eval Domain=lower(domain)
| stats count as ct_Domain by Domain
| append [ | inputlookup mylookupfile.csv | eval Domain=lower(domain), ct_Domain=0 | fields Domain AGS ENV ct_Domain ]
| stats sum(ct_Domain) as total by AGS ENV Domain
| sort AGS -ENV -count
| eval status=if(total=0,"Not present","Present")
| table AGS ENV Domain status

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-14-2022 09:21 AM

Hi @Hithere,

please try something like this:

index=application WAFRuleMessage="Anomaly Exceeded" 
| eval Domain=lower(domain)
| stats count as ct_Domain by Domain
| append [ | inputlookup mylookupfile.csv | eval Domain=lower(domain), ct_Domain=0 | fields Domain AGS ENV ct_Domain ]
| stats sum(ct_Domain) as total by AGS ENV Domain
| sort AGS -ENV -count
| where total=0

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Hithere
Engager
‎03-14-2022 09:44 AM

This query retrieves all the lookup domains as desired, but all the total count of events for each domain is 0 which is not expected.

Hithere_0-1647276243185.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-14-2022 09:57 AM

Hi @Hithere,

I was confused with another question, my answer is to have the domains with no logs.

If you want all the domains with status, you could use something like this:

index=application WAFRuleMessage="Anomaly Exceeded" 
| eval Domain=lower(domain)
| stats count as ct_Domain by Domain
| append [ | inputlookup mylookupfile.csv | eval Domain=lower(domain), ct_Domain=0 | fields Domain AGS ENV ct_Domain ]
| stats sum(ct_Domain) as total by AGS ENV Domain
| sort AGS -ENV -count
| eval status=if(total=0,"Not present","Present")
| table AGS ENV Domain status

Ciao.

Giuseppe

 

Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...