Splunk Search

If i have 3 column in lookup table like column "A" has 10 entries column "B" has 5 entries and column "C" has 2 entries how can i match in search


if i have 3 fields A,B,C and i need to match all entries for that fields
index=main |search [|inputlookup abc.csv | fields A,B,C] | stats count by A,B,C
would this be the right query

Tags (1)
0 Karma


I think it is not working let me put you my query once-again...
I have 3 column in lookup - A,B,C ----A has 10 results B has 5 and c has 3 results..
Now when i run index=main i get 3 fields A has 100+values B has 50+ and C has 30+
But when i match up with |search [|inputlookup abc.csv | fields A,B,C ] so i am suppose to get 10 fields in "A" 5 fields in "B" and then 3 in "C" but it is not giving with your query as well.

0 Karma


There are a few possibilities here. I'll outline some sample data to describe the various options. Let's say your lookup table abc.csv contains the following:

A, B, C
1, 1, 1
2, 2, 3
36, 7, 9

One possibility is that you want to find events in index=main that match this:

(A=1 AND B=1 AND C=1) OR (A=2 AND B=2 AND C=3) OR (A=36 AND B=7 AND C=9)

If so, the code you suggested should work. And you could make it even more efficient by adjusting it like this:

index=main [|inputlookup abc.csv | fields A,B,C] | stats count by A,B,C

Another possibility is that you want to find events in index=main that match this:

 A=1 OR B=1 OR C=1 OR A=2 OR B=2 OR C=3 OR A=36 OR B=7 OR C=9

If so, this would get you there:

index=main [|inputlookup abc.csv | fields A, B, C |  format "" "" "OR" "" "OR" "" ] |stats count by A,B,C

And if you actually wanted to look for all events in index=main that contain the values from A,B,C but may appear anywhere in the events (not necessarily in structured extracted fields), you'd be matching on this:

(1 OR 2 OR 3 OR 36 OR 7 OR 9)

In that case, you could do this:

index=main [|inputlookup abc.csv | eval search=mvappend(A,B,C) | stats values(search) AS search | format ] | stats count by A,B,C
0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...