Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Subsearch using inputlookup

nakkanar
New Member
‎03-05-2018 08:10 AM

I'm working on a combination of subsearch & inputlookup.
Here is the scenario..

I have csv file and created a lookup file called http_status_codes.csv with the fieldname status_code , status_description.
Now I am looking for a sub search with CSV as below.

http_status_codes.csv
status_code,status_description
200, Success
404,Not_Found
500,InternalServerError

I have a search with a field called reqResCode...
Values for reqResCode are 200, 400, 500 etc.

Now I want to search for events reqResValues in CSV file.. something like below

source=my_soruce host="prodservers*" reqResCode in with output as Count of each reqResCode like below

responseCode   count   
200            20
400            40

I used below query:

index=my_soruce  host="prodservers*" |lookup http_response_codes.csv status_code | stats count by reqResCode
Tags (2)
0 Karma
Reply

elliotproebstel
Champion
‎03-05-2018 10:21 AM

If all you want is a table with responseCode values and counts of those values, you won't need the lookup at all:

source=my_source host="prodservers*"
| stats count BY reqResCode
| rename reqResCode AS responseCode

If you also want the descriptions, then you can add the lookup:

source=my_source host="prodservers*"
| stats count BY reqResCode
| rename reqResCode AS responseCode
| lookup http_response_codes.csv status_code AS responseCode
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...