Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

One sourcetype, one lookup csv file, three count

flora123
Path Finder
‎01-05-2011 09:56 AM

Hello, I want to show three digits.

index="test" sourcetype="count" [ inputlookup AA_list | fields AA_List] | stats count as AA_count
index="test" sourcetype="count" [ inputlookup BB_list | fields BB_List] | stats count as BB_count
index="test" sourcetype="count" [ inputlookup CC_list | fields CC_List] | stats count as CC_count

I know I can merge them with 'join'.

But is it possible to merge them into one search with other commands?

Thanks a lot. 😃

Tags (1)
0 Karma
Reply

flora123
Path Finder
‎01-17-2011 07:35 AM

Sorry, I just want to let it easy to read.I do not do well.My English is not good enough.

In fact,the lookup file only have one value.

My search is just like this.

 index="test" sourcetype="count" | stats count as ALL_count | join type=outer max=0 overwrite=false [search index="test" sourcetype="count" [ inputlookup name_list | fields name_List | rename name as final]  | stats count as Intra_count] | join type=outer max=0 overwrite=false [search index="test" sourcetype="count" NOT [ inputlookup name_list | fields name_List | rename name as final] | stats count as Extra_count]

It can do well, but I want to know that could any other way do this?

Thanks a lot. 😃

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎01-14-2011 09:02 AM

Can you post the fields and some sample content from the three lookup files?

Until then this is really going out on a limb... So take this with a grain of salt.

But I'm a little suspicious of why there are three separate lookups in the first place, given that you seem to be using them on identical data.

You might be better off merging them into a single lookup, but adding another field to the lookup? I'm making a couple assumptions here, notably that the 3 lookups are all keying off the same primary field, but let's say we merged them and we called the new field 'type' and it's values were 'A', 'B', and 'C'. And say the primary field of the three lookups is called somefield

index="test" sourcetype="count" | lookup somefield master_list | stats count by type

Kind of a shot in the dark. Please post the fields from the lookups though and I'm sure I or someone else can help more.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...