Using the inputlookup command, how do I get a "Nul...

roopasree · ‎10-23-2018

After applying the time range 01/10/2018 to 05/10/2018, I am not able to get s3,s5 in output.

I am getting output as:

s1

s2
s4
s6
output must be
s1
s2
s3
s4
s5
s6
Here is the below query

|inputlookup a.csv| eval b= round(strptime(Start_Time,"%m/%d/%Y"),0) | where b<=(1536107400) AND b>=(1535761800) | where s="S1" OR s="S2" OR s="S3" OR s="S4" OR s="S5" OR s="S6"

renjith_nair · ‎10-23-2018

@roopasree,

If you have definite number of s (s1...s6), then try this

|inputlookup a.csv| eval b= round(strptime(Start_Time,"%m/%d/%Y"),0) 
| where b<=(1536107400) AND b>=(1535761800) 
| where s="S1" OR s="S2" OR s="S3" OR s="S4" OR s="S5" OR s="S6"
| append[|stats count|eval s="S1,S2,S3,S4,S5,S6"
| makemv s delim=","|mvexpand s]|stats list(*) as * by s
| eval count=mvindex(count,0)

Run anywhere example

    |makeresults |eval s="s1,s2,s4,s6"|eval count="1,2,4,6"|makemv s delim=","|makemv count delim=","
    |eval x=mvzip(s,count)|table x|mvexpand x|eval x=split(x,",")|eval s=mvindex(x,0),count=mvindex(x,1)|fields - x
    |rename COMMENTS as "Search above this line is for dummy data creation"
    |append[|stats count|eval s="s1,s2,s3,s4,s5,s6"|makemv s delim=","|mvexpand s]
    |stats list(*) as * by s|eval count=mvindex(count,0)

---
What goes around comes around. If it helps, hit it with Karma 🙂

Using the inputlookup command, how do I get a "Null result" or "0" as output for rows which are not selected in a time range?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!