Splunk Search

How to search from a static lookup?

CStroud
Engager

Hi,

I'm trying to create a table that contains a list of tasks. The list is static and stored in a lookup table called tasks.csv.

So far I have the following search:

 

 

index=one OR index=two | rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.*)" | stats count by task
| search [|inputlookup tasks.csv ]

 

 

This creates me a table that looks like this:

task count
task_a 1
task_b 1
task_c 1
task_d 1

 

However, if a task in my static list does not appear in the search results, it does not show in the table.
I want the table to contain the whole list of tasks, regardless of whether they appear in the search results or not.

i.e.

task count
task_a 1
task_b 1
task_c 1
task_d 1
task_e 0
task_f 0

 

Any ideas on how I can do this?

The closest I've got is using a join.. which does work, but does not allow for a wildcard, meaning I'd need to specify the whole 'task'.

 

 

|inputlookup tasks.csv 
| join type=left task [ | search index=one OR index=two | rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.*)" | stats count by task] 
| fillnull value=0 task
| table task count

 

 

 

Would appreciate any thoughts or suggestions.
Thanks in advance.

Labels (4)
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=one OR index=two | rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.*)" | stats count as index_count by task
| eval location = 1
| append
  [|inputlookup tasks.csv | eval location = 2 ]
| stats sum(location) as location by task
| fillnull value=0 index_count

If location = 1, the task is in the indexes but not in the lookup

If location = 2, the task is in the lookup but not in the indexes

If location = 3, the task is in both the lookup and the indexes

0 Karma

CStroud
Engager

Thanks for the quick reply!

I've also added the following to the end:

| search location=3 OR location=2
| eval status=if(location=2,"Waiting...","Completed")
| table message status

This now lists all of my defined tasks and tells me whether the task has run or not, based on whether the event is returned by the search.

How do include wildcards?
The task from my indexed data looks like this: "task_a has run successfully with return code x after y minutes"
My lookup task is simply "task_a has run successfully"
So I'd like the search to allow for task_a has run successfully*

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Change your rex so that only the first part is extracted into task

| rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.* has run succesfully)"
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...