Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

combine events from index and inputlookup

hvdtol
Path Finder
‎02-11-2021 07:48 AM

Hello,

I would like some help

I am trying to combine 2 events from my index and 2 event coming from a lookup file, into 2 table lines.
Like this:

index=blala
..

| table env host start end duration week yymm
| append
[ | inputlookup mylookup.csv
| eval st_time=strptime(startdate, "%Y-%m-%d")
| eval en_time=strptime(enddate, "%Y-%m-%d")
| addinfo
| where info_min_time>= st_time AND info_max_time<=en_time
]
| table env host start end duration week yymm
| eval env = "DEV"
| table env host start end duration week yymm

This is the rough output

env  host    start                                     end                                         duration  week          yymm
DEV host1 02/06/2021:10:29:52 02/06/2021:11:20:16    50             2021-05
DEV                                                                                                                                                     2105
DEV host2 02/06/2021:10:29:33 02/06/2021:11:07:42     38           2021-05
DEV                                                                                                                                                     2105

And this is what i am trying to accomplise
DEV host1 02/06/2021:10:29:52 02/06/2021:11:20:16    50             2021-05   2105
DEV host2 02/06/2021:10:29:33 02/06/2021:11:07:42     38           2021-05    2105

I tried several commands, but i am unable to do so.

Thank you in advance

regards,

Harry

Labels (2)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-12-2021 01:12 AM

Hi @hvdtol,

You can use list function on stats;

index=blala
..

| table env host start end duration week yymm
| append
[ | inputlookup mylookup.csv
| eval st_time=strptime(startdate, "%Y-%m-%d")
| eval en_time=strptime(enddate, "%Y-%m-%d")
| addinfo
| where info_min_time>= st_time AND info_max_time<=en_time
]
| fields env host start end duration week yymm
| eval env = "DEV"
| stats list(*) as * by env
| table env host start end duration week yymm
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2021 12:36 PM

You're almost there!  With the two searches appended, the next step is to merge the results.  That's best done using (unintuitively) stats.  Think of it as a grouping command as well as a statistics command.

index=blala
..

| table env host start end duration week yymm
| append
[ | inputlookup mylookup.csv
| eval st_time=strptime(startdate, "%Y-%m-%d")
| eval en_time=strptime(enddate, "%Y-%m-%d")
| addinfo
| where info_min_time>= st_time AND info_max_time<=en_time
]
| fields env host start end duration week yymm
| eval env = "DEV"
| stats values(*) as * by env
| table env host start end duration week yymm

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hvdtol
Path Finder
‎02-12-2021 12:24 AM

Hi,

Thank you for thinking along with me
Unfortunatly i now get 1 event where the second line for yymm is empty
Any help is appreciated

env          host     start                                     end                                        duration    week           yymm
DEV        host1  02/06/2021:10:29:52  02/06/2021:11:20:16  50                2021-05    2105
                 host2  02/06/2021:10:29:33  02/06/2021:11:07:42  38               2021-05

Regards,

Harry

0 Karma
Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...
Top