Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I created a lookup and mapped to the logs, but how do I get the count of another field from a different log into my table?

Bhargav99
New Member
‎08-03-2015 02:15 PM 
index=main sourcetype=mysourcetype| stats count by X | lookup data.csv cad as X |table name, count, login | where name!=""|rename name as Application|rename count as "# of sessions"

I want to show this below with the "Login", but that field is in a different log. How do I get this? I need to show count of logins.
Format Preview

Apn # of sessions    Login 
Se        57     
Vr        18     
Vce      24  
Vint       1017  
Wiint     6972   
Google   6580    
BaNCE    29896   
Foy      16  
JIA    17768     
Sta     2355     
ip       135
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-03-2015 02:23 PM

Like this:

index=main sourcetype=mysourcetype OR sourcetype=othersourcetype| stats count(eval(sourcetype=mysourcetype)) AS SessionCount count(eval(sourcetype=othersourcetype)) AS LoginCount by X

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-03-2015 02:23 PM

Like this:

index=main sourcetype=mysourcetype OR sourcetype=othersourcetype| stats count(eval(sourcetype=mysourcetype)) AS SessionCount count(eval(sourcetype=othersourcetype)) AS LoginCount by X
0 Karma
Reply
Solved! Jump to solution

Bhargav99
New Member
‎08-03-2015 02:38 PM

I got the count but the thing is It is from the same source type. what is the query for that ? and will it automatically map the lookup?

I need a table
Application # of sessions Count(login)

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-03-2015 02:51 PM

You have not shared enough detail in order to give you a custom-fit answer. We do not know what fields are created by your lookup. We do not know what X is or how Apn fits into anything or even if Apn is a field. The search that I gave you is enough of a baseline for you to build out what you are asking and that is much as I can say without much more detail from you.

0 Karma
Reply
Solved! Jump to solution

Bhargav99
New Member
‎08-03-2015 02:55 PM

Thank you !! I got that.

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...