Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use inputlookup in a search, but convert the field of a stats by some column by the field of another column?

MPJ44
Loves-to-Learn Everything
‎12-07-2022 09:57 AM

I have a .csv with this format (this is a mock, just to give you an idea of the pattern)

code, message,

1, "Not found",

2, "Internal error",

3, "Success",

 

My search allow to do a stats count by code, but not by message.


What I need to do is return a table with the message and their count.

 

What I have so far is this query, but it returns a table of code by count, but I need message by count (and all category must be return, even those with count of zero):

 

the search | append [input lookup the csv file]
|stats count by message

I tried to play with fields and table, but I don't get the desired result.

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-07-2022 10:04 AM

Why is it necessary to use inputlookup as opposed to lookup, which appears more directly applicable? (And more efficient.)

the search
| stats count by code
| lookup the_csv_file code
| fields - code ``` if you do not want to display code ```

 

0 Karma
Reply

MPJ44
Loves-to-Learn Everything
‎12-07-2022 10:17 AM

This solution doesn't display code with count value of zero.

Here is a solution I came up with the help of another Splunk thread:

 

the search|
append [|inputlookup file.cvs | table code]
| lookup file.cvs code OUTPUT message| stats count by message

 

This conversion can be closed.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-08-2022 05:30 PM

@MPJ44 To close, you can check my answer as solution.  As always, karma is appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top