Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

data and lookup field problem

secure
Path Finder
‎12-17-2024 07:21 AM

Hi All

i have a csv look up with below data

Event_Code

AUB01

AUB36

BUA12

i want to match it with a dataset which has field name  Event_Code with several values i need to extract the count of the event code per day from the matching csv lookup 

my query 

index=abc 
|rex field=data "\|(?<data>[^\.|]+)?\|(?<Event_Code>[^\|]+)?\|"
| lookup dataeventcode.csv Event_Code
| timechart span=1d dc(Event_Code)

however the result is showing all 100 count per day instaed of matching the event code from the CSV and then give the total count per day

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-17-2024 07:31 AM

Hi @secure ,

if you want to filter results from main search using the Event_Codes from the lookup, you must use a subsearch:

index=abc 
| rex field=data "\|(?<data>[^\.|]+)?\|(?<Event_Code>[^\|]+)?\|"
| search [ | inputlookup dataeventcode.csv | fields Event_Code ]
| timechart span=1d dc(Event_Code)

If you extract the Event_Code field before the search as a field, you can put the subsearch in the main search.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-17-2024 07:36 AM

The query checks the lookup file, but then does nothing with it.  That's why all events are counted.  Try this

index=abc 
|rex field=data "\|(?<data>[^\.|]+)?\|(?<Event_Code>[^\|]+)?\|"
| lookup dataeventcode.csv Event_Code OUTPUT Event_Code as found
| where isnotnull(found)
| timechart span=1d dc(Event_Code)

If the Event_Code field did not need to be extracted via rex then we could have used inputlookup to give Splunk a list of codes to search for.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-17-2024 07:31 AM

Hi @secure ,

if you want to filter results from main search using the Event_Codes from the lookup, you must use a subsearch:

index=abc 
| rex field=data "\|(?<data>[^\.|]+)?\|(?<Event_Code>[^\|]+)?\|"
| search [ | inputlookup dataeventcode.csv | fields Event_Code ]
| timechart span=1d dc(Event_Code)

If you extract the Event_Code field before the search as a field, you can put the subsearch in the main search.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk &#43; Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...