Solved: Re: Pulling two inputlookups (csv files) and graph...

lehrfeld · ‎02-16-2015

Hi All - I am trying to do some simple reporting on two lookup files we have.

Lookup File A

time number
2015-01-16 100
2015-01-17 200
2015-01-18 300
2015-01-18 600
2015-01-18 700

Lookup File B
time count
2015-01-16 700
2015-01-17 800
2015-01-18 900
2015-01-18 200
2015-01-18 300

I would like to sum(count) by time and sum(number) by time then produce a line chart. But I can't figure out how to use both of the lookup tables.

My last iteration looked like this.

| inputlookup email_into_edge.csv |
appendcols [| inputlookup email_into_forefront.csv
| stats sum(count) AS into_forefront by time]
| stats sum(number) AS into_edge by time

Thanks for any tips, Mike

somesoni2 · ‎02-16-2015

Give this a try

| inputlookup email_into_edge.csv | stats sum(number) AS into_edge by time
| appendcols [| inputlookup email_into_forefront.csv | stats sum(count) AS into_forefront by time] 
 | stats sum(*) as * by time

View solution in original post

somesoni2 · ‎02-16-2015

Give this a try

| inputlookup email_into_edge.csv | stats sum(number) AS into_edge by time
| appendcols [| inputlookup email_into_forefront.csv | stats sum(count) AS into_forefront by time] 
 | stats sum(*) as * by time

lehrfeld · ‎02-16-2015

Thanks for the reply.... for some reason I was getting weird results. The summing was off... so I did a join on time and that did it.

| inputlookup email_into_forefront.csv
| stats sum(count) AS into_forefront
by time | join time [| inputlookup
email_into_edge.csv | stats
sum(number) AS into_edge by time ]

Pulling two inputlookups (csv files) and graphing their information

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience