Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search events based on lookup field and display lookup row even if nothing found

nomad1981
Explorer
‎07-15-2020 02:09 PM

I have a lookup file which contains a list of jobnames, description and their SLAs.

Example: 

jobNameDescriptionSLA
job1Example108.00
job2Example210.00
job5Example305.00

 

My index data (index=autosys) contains events for hundreds of jobs, their status and updated time. 

An event example would be: job1, FAILED, 07.00

I'm trying to write a query to output the below. However, there are cases where there won't be any events for a specific job. In that case, I need to display, "NOT RUNNING"

jobNameDescriptionSLAStatusUpdatetime
job1Example108.00FAILED07.00
job2Example210.00SUCCESS09.00
job5Example305.00NOT RUNNINGNULL

 

I'm using the following query, but it is not displaying the row that does not have any event/data in the index

 

 

 

| inputlookup append=t lookup_job.csv | table jobName, SLA, Description
| join jobName [search index=autosys  | inputlookup lookup_job.csv | fields jobName ]]
| table jobName, Description, SLA, Status, Updatedtime

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nomad1981
Explorer
‎07-16-2020 08:36 AM

I was able to sort it out using join type=left

 

| inputlookup append=t lookup_job.csv | table jobName, SLA, Description
| join type=left jobName [search index=autosys  | inputlookup lookup_job.csv | fields jobName ]]
| table jobName, Description, SLA, Status, Updatedtime

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-15-2020 02:26 PM

index=autosys [|inputlookup lookup_job.csv | table jobName| format]
| lookup lookup_job.csv  jobName OUTPUT Description, SLA
| table jobName, Description, SLA, Status, Updatedtime

0 Karma
Reply
Solved! Jump to solution

nomad1981
Explorer
‎07-15-2020 03:42 PM

Unfortunately, the query does not return the item from the lookup if there are no events found. 

Also, I need the results to the displayed in the same order of jobName as per what is in the lookup file

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-16-2020 03:44 AM 
index=autosys 
| table jobName Status Updatedtime
| inputlookup append=t lookup_job.csv
| table jobName, Description, SLA, Status, Updatedtime
| fillnull status value="NOT RUNNING"
| stats values(*) as * by jobName

Like this?

0 Karma
Reply
Solved! Jump to solution

nomad1981
Explorer
‎07-16-2020 05:22 AM

That query returns all jobs in found in the search index autosys. 

I need to return the data that's in the lookup table as is and add 2 additional columns (Status and Updatedtime) which is found in the index data. If the search does not find the Status and Updatedtime for a specfic job, that job should still appear in the table with the 2 fields showing as "NOT RUNNING". 

 

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-16-2020 06:36 AM

try where

0 Karma
Reply
Solved! Jump to solution
Solution

nomad1981
Explorer
‎07-16-2020 08:36 AM

I was able to sort it out using join type=left

 

| inputlookup append=t lookup_job.csv | table jobName, SLA, Description
| join type=left jobName [search index=autosys  | inputlookup lookup_job.csv | fields jobName ]]
| table jobName, Description, SLA, Status, Updatedtime

 

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...