Subsearch using inputlookup

nakkanar · ‎03-05-2018

I'm working on a combination of subsearch & inputlookup.
Here is the scenario..

I have csv file and created a lookup file called http_status_codes.csv with the fieldname status_code , status_description.
Now I am looking for a sub search with CSV as below.

http_status_codes.csv
status_code,status_description
200, Success
404,Not_Found
500,InternalServerError

I have a search with a field called reqResCode...
Values for reqResCode are 200, 400, 500 etc.

Now I want to search for events reqResValues in CSV file.. something like below

source=my_soruce host="prodservers*" reqResCode in with output as Count of each reqResCode like below

responseCode   count   
200            20
400            40

I used below query:

index=my_soruce  host="prodservers*" |lookup http_response_codes.csv status_code | stats count by reqResCode

elliotproebstel · ‎03-05-2018

If all you want is a table with responseCode values and counts of those values, you won't need the lookup at all:

source=my_source host="prodservers*"
| stats count BY reqResCode
| rename reqResCode AS responseCode

If you also want the descriptions, then you can add the lookup:

source=my_source host="prodservers*"
| stats count BY reqResCode
| rename reqResCode AS responseCode
| lookup http_response_codes.csv status_code AS responseCode

Subsearch using inputlookup

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability for AI

Are you a member of the Splunk Community?

Subsearch using inputlookup

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability for AI