Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to update a lookup file with top command results?

srinivasup
Explorer
‎03-18-2017 08:06 AM

Hi,

I have lookup file with host and count fields as below

host.csv

host  count
-----------------
host1 10
host2 20
host3 30
host4 40
host5 50
host6 60
host7 70

Now i will get top 5 host counts from log events as below

index=main | top 5 host | table host count.

result:

host1 2
host2 3
host3 4
host4 5
host5 6

Now i want to update these top command results in csv and sum them and get final top 5 host count.
Final output should be in lookup file for further usage:

host   count
-----------------
host1 12
host2 23
host3 34
host4 45
host5 56
host6 60
host7 70
Tags (5)
0 Karma
Reply

niketn
Legend
‎03-25-2017 10:35 AM

@srinivasup... Were you able to try out any one of the following options?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

woodcock
Esteemed Legend
‎03-18-2017 07:19 PM

Like this:

index=main | top 5 host | table host count | appendpipe [|inputcsv host.csv] | stats sum(count) AS count BY host | outputcsv host.csv
0 Karma
Reply

niketn
Legend
‎03-18-2017 12:51 PM

Try something like following with accum. Streamstats will also allow you to achieve the same.

index=main [inputlookup host.csv | table sourcetype]
| lookup host.csv host OUTPUT count as csvCount
| stats count as indexCount values(csvCount) as csvCount by sourcetype
| sort -indexCount 
| eval counter=1
| accum counter
| eval count=if(counter<=5,indexCount+csvCount,csvCount)
| table sourcetype count
| outputlookup host.csv
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...