Splunk Search

Stats count with lookups

kiran331
Builder

Hello,

I have to get the individual count of three lookups A,B,C. How can I show the count of each lookup n Dashboard in one panel?

search i'm trying:

|inputlookup A.csv |append [|inputlookup B.csv]|append [|inputlookup C.csv]|append [|D.csv] | stats count ???

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

You should use the inputlookup command's append=t command instead of the append command. (long story)

Here is the approach I would try.

| inputlookup A | eval file="A" | inputlookup append=t B | fillnull file value="B" | inputlookup append=t C | fillnull file value="C" | stats count by file

(Obviously if a field called "file" is actually present in any of these three lookups this wont work very well, but if so just pick a suitable field name.)

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

You should use the inputlookup command's append=t command instead of the append command. (long story)

Here is the approach I would try.

| inputlookup A | eval file="A" | inputlookup append=t B | fillnull file value="B" | inputlookup append=t C | fillnull file value="C" | stats count by file

(Obviously if a field called "file" is actually present in any of these three lookups this wont work very well, but if so just pick a suitable field name.)

0 Karma
Get Updates on the Splunk Community!

Notification Email Migration Announcement

The Notification Team is migrating our email service provider from Postmark to AWS Simple Email Service (SES) ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...