Solved: Re: Stats count with lookups

kiran331 · ‎09-29-2016

Hello,

I have to get the individual count of three lookups A,B,C. How can I show the count of each lookup n Dashboard in one panel?

search i'm trying:

sideview · ‎09-29-2016

You should use the inputlookup command's append=t command instead of the append command. (long story)

Here is the approach I would try.

| inputlookup A | eval file="A" | inputlookup append=t B | fillnull file value="B" | inputlookup append=t C | fillnull file value="C" | stats count by file

(Obviously if a field called "file" is actually present in any of these three lookups this wont work very well, but if so just pick a suitable field name.)

View solution in original post

sideview · ‎09-29-2016

You should use the inputlookup command's append=t command instead of the append command. (long story)

Here is the approach I would try.

| inputlookup A | eval file="A" | inputlookup append=t B | fillnull file value="B" | inputlookup append=t C | fillnull file value="C" | stats count by file

(Obviously if a field called "file" is actually present in any of these three lookups this wont work very well, but if so just pick a suitable field name.)

Stats count with lookups

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout