Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to search multiple lookup tables and do a stats count by X across all the tables within the same search?

deadbits
Explorer
‎05-10-2013 12:18 AM

I am having some trouble performing a search across multiple lookup tables. I have several csv's as lookup tables (let's say table1.csv, table2.csv, table3.csv), all of which have the same field names with different data. I am trying to get a trending view of this data over time - as each lookup table covers one week's worth of data.

Q: Is there a way to search multiple lookup tables and do a stats count by X across all the tables within the same search?

A search for an individual table works fine. for example: |inputlookup table2.csv | stats count by field1

a few of the searches I've tried are:
search one: [ | inputlookup table1.csv | stats count by field1 ] [ |inputlookup table2.csv | stats count by field1]
search two: |inputlookup table1.csv |inputlookup table2.csv | stats count by field1

Am I going about this the complete wrong way or is what I'm trying to do simply not possible? Any help at all would be greatly appreciated!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎05-10-2013 01:36 AM

For the question as asked, something like this might work for you:

| inputlookup table1.csv | inputlookup append=t table2.csv | inputlookup append=t table3.csv | stats count by field1

However, you probably want to differentiate between the lookups, which you could do by having a second field (lookup_name) like so:

| inputlookup table1.csv | inputlookup append=t table2.csv | inputlookup append=t table3.csv | stats count by field1 lookup_name

Depending on your use case you may want to use a time-based lookup combining all of the results.

View solution in original post

Reply
Solved! Jump to solution

ksharma7
Path Finder
‎04-14-2020 05:40 AM

Say I have two lookup table1.csv and table2.csv and both has different fields. Now I want to include table1.csv but exclude results from msin search for column present on table 2.csv. how to do that

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2020 06:21 AM

@ksharma7, This question is nearly 7 years old with an accepted answer. Please post a new question describing your problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎05-10-2013 01:36 AM

For the question as asked, something like this might work for you:

| inputlookup table1.csv | inputlookup append=t table2.csv | inputlookup append=t table3.csv | stats count by field1

However, you probably want to differentiate between the lookups, which you could do by having a second field (lookup_name) like so:

| inputlookup table1.csv | inputlookup append=t table2.csv | inputlookup append=t table3.csv | stats count by field1 lookup_name

Depending on your use case you may want to use a time-based lookup combining all of the results.

Reply
Solved! Jump to solution

asharma737
New Member
‎03-30-2023 08:13 AM

Hi @dart  @deadbits @ksharma7 @ipark_splunk 

1 Question:

whatever example you shared thats great and working but what about multiple lookups if i wanted to search , for example if i am having 20 lookups like table1.csv to table20.csv with different name , Actually we can do appending for each of one, need your help here.

2 Question:

whatever result we are receiving in that i wanted to add lookup name as well because my all lookups are having different name with different name.

Could you please help me on this ?

0 Karma
Reply
Solved! Jump to solution

deadbits
Explorer
‎05-10-2013 10:43 AM

Awesome, thank you. I think the time-based lookup is what I'm looking for. I had some luck with the append=t flag as well. Thanks for your help! 😄

0 Karma
Reply
Solved! Jump to solution

ipark_splunk
Splunk Employee
Splunk Employee
‎11-21-2018 05:15 PM

Thanks @dart this is awesome! How about this one:

| inputlookup table1.csv 
| append 
    [| inputlookup table2.csv]
    [| inputlookup table3.csv]
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...