Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Subsearch using inputlookup

nakkanar
New Member
‎03-05-2018 08:10 AM

I'm working on a combination of subsearch & inputlookup.
Here is the scenario..

I have csv file and created a lookup file called http_status_codes.csv with the fieldname status_code , status_description.
Now I am looking for a sub search with CSV as below.

http_status_codes.csv
status_code,status_description
200, Success
404,Not_Found
500,InternalServerError

I have a search with a field called reqResCode...
Values for reqResCode are 200, 400, 500 etc.

Now I want to search for events reqResValues in CSV file.. something like below

source=my_soruce host="prodservers*" reqResCode in with output as Count of each reqResCode like below

responseCode   count   
200            20
400            40

I used below query:

index=my_soruce  host="prodservers*" |lookup http_response_codes.csv status_code | stats count by reqResCode
Tags (2)
0 Karma
Reply

elliotproebstel
Champion
‎03-05-2018 10:21 AM

If all you want is a table with responseCode values and counts of those values, you won't need the lookup at all:

source=my_source host="prodservers*"
| stats count BY reqResCode
| rename reqResCode AS responseCode

If you also want the descriptions, then you can add the lookup:

source=my_source host="prodservers*"
| stats count BY reqResCode
| rename reqResCode AS responseCode
| lookup http_response_codes.csv status_code AS responseCode
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...