Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use inputlookup count of results as a filter for the main search?

sergiupopescu
New Member
‎08-26-2015 06:06 AM

So I have a search which pulls the number of servers in a farm that have the "X" application installed on them. Now I have a csv file I do a lookup into, which keeps the server status (Production/Testing/etc).

What I did was:
- to get from the main search a result which counts the number of servers where it is installed
- it displays Application Name | count of servers which have it installed

What I want to do now is to count the number of results from within a lookup and compare the results described above in the main search with this result, if there are differences, I woul like to keep from the main search only the applications which are not installed on the same
number of servers as the inputlookup results.

SO:
Main search:

{blablabla} | stats dc(host) by ApplicationName, Version

Subsearch would be: 

| inputlookup *lookup table* | search Destination=*"PROD"* | stats count(host)

(which in this particular case returns 89)
And I need to compare the number of servers which have the same ApplicationName on them with 89 resulted above

Any help is highly appreciated

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-26-2015 09:57 AM

Try something like this

{blablabla} | stats dc(host) as by ApplicationName, Version | eval ServerCountLookup=[ | inputlookup lookup table | search Destination="PROD" | stats count(host) as count | return $count] | your comparison here...

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-26-2015 09:57 AM

Try something like this

{blablabla} | stats dc(host) as by ApplicationName, Version | eval ServerCountLookup=[ | inputlookup lookup table | search Destination="PROD" | stats count(host) as count | return $count] | your comparison here...
Reply
Solved! Jump to solution

sergiupopescu
New Member
‎08-27-2015 02:46 AM

Works perfect, thank you!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...