Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search events based on lookup field and display lookup row even if nothing found

nomad1981
Explorer
‎07-15-2020 02:09 PM

I have a lookup file which contains a list of jobnames, description and their SLAs.

Example: 

jobNameDescriptionSLA
job1Example108.00
job2Example210.00
job5Example305.00

 

My index data (index=autosys) contains events for hundreds of jobs, their status and updated time. 

An event example would be: job1, FAILED, 07.00

I'm trying to write a query to output the below. However, there are cases where there won't be any events for a specific job. In that case, I need to display, "NOT RUNNING"

jobNameDescriptionSLAStatusUpdatetime
job1Example108.00FAILED07.00
job2Example210.00SUCCESS09.00
job5Example305.00NOT RUNNINGNULL

 

I'm using the following query, but it is not displaying the row that does not have any event/data in the index

 

 

 

| inputlookup append=t lookup_job.csv | table jobName, SLA, Description
| join jobName [search index=autosys  | inputlookup lookup_job.csv | fields jobName ]]
| table jobName, Description, SLA, Status, Updatedtime

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nomad1981
Explorer
‎07-16-2020 08:36 AM

I was able to sort it out using join type=left

 

| inputlookup append=t lookup_job.csv | table jobName, SLA, Description
| join type=left jobName [search index=autosys  | inputlookup lookup_job.csv | fields jobName ]]
| table jobName, Description, SLA, Status, Updatedtime

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-15-2020 02:26 PM

index=autosys [|inputlookup lookup_job.csv | table jobName| format]
| lookup lookup_job.csv  jobName OUTPUT Description, SLA
| table jobName, Description, SLA, Status, Updatedtime

0 Karma
Reply
Solved! Jump to solution

nomad1981
Explorer
‎07-15-2020 03:42 PM

Unfortunately, the query does not return the item from the lookup if there are no events found. 

Also, I need the results to the displayed in the same order of jobName as per what is in the lookup file

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-16-2020 03:44 AM 
index=autosys 
| table jobName Status Updatedtime
| inputlookup append=t lookup_job.csv
| table jobName, Description, SLA, Status, Updatedtime
| fillnull status value="NOT RUNNING"
| stats values(*) as * by jobName

Like this?

0 Karma
Reply
Solved! Jump to solution

nomad1981
Explorer
‎07-16-2020 05:22 AM

That query returns all jobs in found in the search index autosys. 

I need to return the data that's in the lookup table as is and add 2 additional columns (Status and Updatedtime) which is found in the index data. If the search does not find the Status and Updatedtime for a specfic job, that job should still appear in the table with the 2 fields showing as "NOT RUNNING". 

 

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-16-2020 06:36 AM

try where

0 Karma
Reply
Solved! Jump to solution
Solution

nomad1981
Explorer
‎07-16-2020 08:36 AM

I was able to sort it out using join type=left

 

| inputlookup append=t lookup_job.csv | table jobName, SLA, Description
| join type=left jobName [search index=autosys  | inputlookup lookup_job.csv | fields jobName ]]
| table jobName, Description, SLA, Status, Updatedtime

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...