Re: Subsearch using inputlookup

nakkanar · ‎03-05-2018

I'm working on a combination of subsearch & inputlookup.
Here is the scenario..

I have csv file and created a lookup file called http_status_codes.csv with the fieldname status_code , status_description.
Now I am looking for a sub search with CSV as below.

http_status_codes.csv
status_code,status_description
200, Success
404,Not_Found
500,InternalServerError

I have a search with a field called reqResCode...
Values for reqResCode are 200, 400, 500 etc.

Now I want to search for events reqResValues in CSV file.. something like below

source=my_soruce host="prodservers*" reqResCode in with output as Count of each reqResCode like below

responseCode   count   
200            20
400            40

I used below query:

index=my_soruce  host="prodservers*" |lookup http_response_codes.csv status_code | stats count by reqResCode

elliotproebstel · ‎03-05-2018

If all you want is a table with responseCode values and counts of those values, you won't need the lookup at all:

source=my_source host="prodservers*"
| stats count BY reqResCode
| rename reqResCode AS responseCode

If you also want the descriptions, then you can add the lookup:

source=my_source host="prodservers*"
| stats count BY reqResCode
| rename reqResCode AS responseCode
| lookup http_response_codes.csv status_code AS responseCode

Subsearch using inputlookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation