Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Subsearch using inputlookup

nakkanar
New Member
‎03-05-2018 08:10 AM

I'm working on a combination of subsearch & inputlookup.
Here is the scenario..

I have csv file and created a lookup file called http_status_codes.csv with the fieldname status_code , status_description.
Now I am looking for a sub search with CSV as below.

http_status_codes.csv
status_code,status_description
200, Success
404,Not_Found
500,InternalServerError

I have a search with a field called reqResCode...
Values for reqResCode are 200, 400, 500 etc.

Now I want to search for events reqResValues in CSV file.. something like below

source=my_soruce host="prodservers*" reqResCode in with output as Count of each reqResCode like below

responseCode   count   
200            20
400            40

I used below query:

index=my_soruce  host="prodservers*" |lookup http_response_codes.csv status_code | stats count by reqResCode
Tags (2)
0 Karma
Reply

elliotproebstel
Champion
‎03-05-2018 10:21 AM

If all you want is a table with responseCode values and counts of those values, you won't need the lookup at all:

source=my_source host="prodservers*"
| stats count BY reqResCode
| rename reqResCode AS responseCode

If you also want the descriptions, then you can add the lookup:

source=my_source host="prodservers*"
| stats count BY reqResCode
| rename reqResCode AS responseCode
| lookup http_response_codes.csv status_code AS responseCode
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...