Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use results from search as input to a lookup

tnkoehn
Path Finder
‎04-05-2013 02:19 PM

I have an initial search that will find the top 100 Called_Numbers by the number of calls they are taking. A simplified version is:

index=Sonus sourcetype=Sonus earliest=-1h (START OR STOP)
|stats count(eval(CDR_Type=="START")) as starts, count(eval(CDR_Type=="STOP")) as stops by Called_Number
|eval calls=starts-stops
|sort -calls
|head 100

I then want to take those 100 Called_Numbers and perform a lookup to find client name and application. The lookup looks like this:

|lookup client_info.csv apn as Called_Number OUTPUT client as Client_Name, program as App_Name
|table Called_Number Client_Name App_Name calls

And the client_info.csv file contains 100's of thousands of records and looks like this:

apn,client,program
1420102,Client A,Widgets
2004029,Client B,Web
2007172,Client C,Mobile
2007226,Client D,Customer Service
2910509,Client E,Maintenance
.
.

After the search and the lookup, the output should be:

Called_Number     Client_Name     App_Name     calls
1234567           ABC Client      ABC App      159
2345678           XYZ Client      XYZ App      231
.
.

How do I do that in one search? I've tried subsearches and looked thru the Splunkbase for days. Can't seem to figure it out. Thanks for any help!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tnkoehn
Path Finder
‎04-09-2013 08:09 AM

Here's the answer. Thanks for the help and confirmation.

index=Sonus sourcetype=Sonus earliest=-1h (START OR STOP)
|stats count(eval(CDR_Type=="START")) as starts, count(eval(CDR_Type=="STOP")) as stops by Called_Number
|eval calls=starts-stops
|sort -calls
|head 100
|eval apn=mvappend(Called_Number,calls)
|lookup client_info.csv apn OUTPUT apn as Called_Number, client as Client_Name, program as App_Name
|table Called_Number Client_Name App_Name calls

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tnkoehn
Path Finder
‎04-09-2013 08:09 AM

Here's the answer. Thanks for the help and confirmation.

index=Sonus sourcetype=Sonus earliest=-1h (START OR STOP)
|stats count(eval(CDR_Type=="START")) as starts, count(eval(CDR_Type=="STOP")) as stops by Called_Number
|eval calls=starts-stops
|sort -calls
|head 100
|eval apn=mvappend(Called_Number,calls)
|lookup client_info.csv apn OUTPUT apn as Called_Number, client as Client_Name, program as App_Name
|table Called_Number Client_Name App_Name calls
0 Karma
Reply
Solved! Jump to solution

kml_uvce
Builder
‎04-08-2013 05:39 PM

this is perfect...

kamal singh bisht
0 Karma
Reply
Solved! Jump to solution

kml_uvce
Builder
‎04-05-2013 05:24 PM

try this
index=Sonus sourcetype=Sonus earliest=-1h (START OR STOP) [|inputlookup client_info.csv |fields apn , client,program|rename apn as Called_Number,client as Client_Name, program as App_Name
]|stats count(eval(CDR_Type=="START")) as starts, count(eval(CDR_Type=="STOP")) as stops by Called_Number
|eval calls=starts-stops
|sort -calls
|head 100

-Kamal Bisht

kamal singh bisht
0 Karma
Reply
Solved! Jump to solution

tnkoehn
Path Finder
‎04-08-2013 08:21 AM

I think I may have figured this out (because it works!), although it may not be the best way. Let me know what you think:

index=Sonus sourcetype=Sonus earliest=-1h (START OR STOP)
|stats count(eval(CDR_Type=="START")) as starts, count(eval(CDR_Type=="STOP")) as stops by Called_Number
|eval calls=starts-stops
|sort -calls
|head 100
|eval apn=mvappend(Called_Number,calls)
|lookup client_info.csv apn as apn OUTPUT apn as Called_Number, client as Client_Name, program as App_Name
|table Called_Number Client_Name App_Name calls

0 Karma
Reply
Solved! Jump to solution

tnkoehn
Path Finder
‎04-08-2013 08:02 AM

This doesn't work. Just to be clear, I want to find the top 100 called numbers first, and then use those called numbers to perform the client lookup. I edited my original post to include the format of the client_info.csv file and attempted to make the question a little more understandable . Let me know if you need anything else that can help. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...