How to use inputlookup in a search, but convert th...

MPJ44 · ‎12-07-2022

I have a .csv with this format (this is a mock, just to give you an idea of the pattern)

code, message,

1, "Not found",

2, "Internal error",

3, "Success",

My search allow to do a stats count by code, but not by message.

What I need to do is return a table with the message and their count.

What I have so far is this query, but it returns a table of code by count, but I need message by count (and all category must be return, even those with count of zero):

the search | append [input lookup the csv file]
|stats count by message

I tried to play with fields and table, but I don't get the desired result.

yuanliu · ‎12-07-2022

Why is it necessary to use inputlookup as opposed to lookup, which appears more directly applicable? (And more efficient.)

the search
| stats count by code
| lookup the_csv_file code
| fields - code ``` if you do not want to display code ```

MPJ44 · ‎12-07-2022

This solution doesn't display code with count value of zero.

Here is a solution I came up with the help of another Splunk thread:

the search|
append [|inputlookup file.cvs | table code]
| lookup file.cvs code OUTPUT message| stats count by message

This conversion can be closed.

yuanliu · ‎12-08-2022

@MPJ44 To close, you can check my answer as solution. As always, karma is appreciated.

How to use inputlookup in a search, but convert the field of a stats by some column by the field of another column?

lookup

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...