Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

checking if all values from lookup exists

dorHerbesman
Path Finder
‎03-05-2024 06:58 AM

Hey, im trying to do something relative easy and for some reason can't make it..

i have a lookup named tableq_lookyp with only one column tableq with the values:

1,2,4,5,7,8,10,11,12,13,14,15,16,20,21,22 (each value is different row)

and i have this search:

index=myidnex sourcetype=mysourcetype source=mysource

| table ACCUM_CODE LOCK_CODE PERIOD_KEY TABLEQ UPD_DATE UPD_TIME USER_NAME

i want to check if all of the values from the tableq lookup exists in my search 

so i should get 16 rows (as the amount of different values in tableq) and a new column with yes/no options that tell me if the value appear in the search/lookup or not 
what is the best way of doing it?

 

thanks !

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-05-2024 11:30 PM

Hi @dorHerbesman ,

if you want to list all the values from the lookup that aren't present in the search results, you will not have these fields!

Anyway, you can add all the other fields adding them  and using the values option in stats command:

index=myidnex sourcetype=mysourcetype source=mysource
| stats
   count
   values(ACCUM_CODE) AS ACCUM_CODE
   values(LOCK_CODE) AS LOCK_CODE
   values(PERIOD_KEY) AS PERIOD_KEY
   values(UPD_DATE) AS UPD_DATE
   values(UPD_TIME) AS UPD_TIME
   values(USER_NAME) AS USER_NAME
   BY TABLEQ
| append [ | inputlookup your_lookup| eval count=0 | rename tableq  AS TABLEQ | fields TABLEQ count ]
| stats
   sum(count) AS total
   values(ACCUM_CODE) AS ACCUM_CODE
   values(LOCK_CODE) AS LOCK_CODE
   values(PERIOD_KEY) AS PERIOD_KEY
   values(UPD_DATE) AS UPD_DATE
   values(UPD_TIME) AS UPD_TIME
   values(USER_NAME) AS USER_NAME
   BY TABLEQ
| where total=0

 Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-05-2024 07:13 AM

Hi @dorHerbesman,

try something like this:

index=myidnex sourcetype=mysourcetype source=mysource
| stats
   count
   BY TABLEQ
| append [ | inputlookup your_lookup | eval count=0 | rename tableq  AS TABLEQ | fields TABLEQ count ]
| stats
   sum(count) AS total
   BY TABLEQ
| where total=0

Ciao.

Giuseppe

Reply
Solved! Jump to solution

dorHerbesman
Path Finder
‎03-05-2024 11:02 PM

OK the calculation is correct but now i've lost all other fields 

| table ACCUM_CODE LOCK_CODE PERIOD_KEY TABLEQ UPD_DATE UPD_TIME USER_NAME

how can i regain them but keep the calulation code you provide?

 

thanks again for the help!

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-05-2024 11:30 PM

Hi @dorHerbesman ,

if you want to list all the values from the lookup that aren't present in the search results, you will not have these fields!

Anyway, you can add all the other fields adding them  and using the values option in stats command:

index=myidnex sourcetype=mysourcetype source=mysource
| stats
   count
   values(ACCUM_CODE) AS ACCUM_CODE
   values(LOCK_CODE) AS LOCK_CODE
   values(PERIOD_KEY) AS PERIOD_KEY
   values(UPD_DATE) AS UPD_DATE
   values(UPD_TIME) AS UPD_TIME
   values(USER_NAME) AS USER_NAME
   BY TABLEQ
| append [ | inputlookup your_lookup| eval count=0 | rename tableq  AS TABLEQ | fields TABLEQ count ]
| stats
   sum(count) AS total
   values(ACCUM_CODE) AS ACCUM_CODE
   values(LOCK_CODE) AS LOCK_CODE
   values(PERIOD_KEY) AS PERIOD_KEY
   values(UPD_DATE) AS UPD_DATE
   values(UPD_TIME) AS UPD_TIME
   values(USER_NAME) AS USER_NAME
   BY TABLEQ
| where total=0

 Ciao.

Giuseppe

Reply
Solved! Jump to solution

dorHerbesman
Path Finder
‎03-05-2024 11:33 PM

that's exectly what i wanted! thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-05-2024 11:38 PM

Hi @dorHerbesman ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎03-05-2024 07:09 AM

@dorHerbesman I don't see the lookup command in your search. 

index=elbit_hr sourcetype=synerionDB source=retromng 

| table ACCUM_CODE LOCK_CODE PERIOD_KEY TABLEQ UPD_DATE UPD_TIME USER_NAME
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎03-05-2024 07:08 AM

@dorHerbesman Hi, you must upload the lookup first, then use the |inputlookup tableq_lookyp to check. Upon successfully viewing your lookup data, you can access Splunk by using the lookup command. And the only way to find out is to use your initial search query along with the lookup command. Kindly review the Splunk documents listed below for your reference.

lookup - Splunk Documentation 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...