Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index query results against inputlookup return stats/multiple stats

DanWilkinson
Engager
‎11-02-2023 03:31 PM

Hello and thank you for your time.

I would like to run a search in splunk, using the results against inputlookup lists to return the stats or multiple stats.

Example:

My search is:

index="MyIndex" AND host="MyHost" AND (*string1* OR "*string2*" OR "*string3*") | dedup user | table user

user_results
user.name1
user.name2
user.name3

using those results:


| inputlookup ACBounceList_a-c.csv
| inputlookup append=t ACBounceList_d-g.csv
| inputlookup append=t ACBounceList_h-l.csv
| inputlookup append=t ACBounceList_m-q.csv
| inputlookup append=t ACBounceList_r-s.csv
| inputlookup append=t ACBounceList_t-v.csv
| inputlookup append=t ACBounceList_w-z.csv
| stats count by field_stats_wanted

| where inputlookup_user = user_results

 

resulting in:

field_stats_wanted                     count

value1                                                     30

value2                                                     35

etc                                                            etc

 

Any assistance with this would be greatly appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DanWilkinson
Engager
‎11-06-2023 03:30 PM

Thank you for the response. I did manage to figure out my issue. First was the use of the multiple lookups, when I created the first lookup, I used sort, that limited my results to > 5000, and I needed < 30k. I fixed that, creating the Inputlookup ACResults.csv without the sort value that was limiting my results. (inputlookup was from Active Directory).

 

Then used the following search:

  index=Myindex host=xx.xx.xx.xx "AAA user accounting Successful"

  | dedup user

 

Then used lookup for where the user field values matched the field cn from my lookup:

  | lookup ACResults.csv cn as user

 

Final result of my new search:

index=Myindex host=xx.xx.xx.xx "AAA user accounting Successful"

| dedup user

| lookup ACResults.csv cn as user

| eval Sector=extensionAttribute14

| stats count by Sector

| sort -count

 

Answering your questions:

-What is the relationship between the field you tabled ("user") and all the lookup tables? -user = cn from active directory

-And the relationship with "field_stats_wanted"? -extensionAttribute14 for that user (cn) from Active Directory

- Most importantly, why is inputlookup even considered? -all my inputlookups had the same fields, so appending would make it easier to search, (I thought), I was wrong.

-It usually means that the problem is not clearly understood. - that was true, but I learned.

 

I hope this helps for future users. Thank you all the same.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎11-03-2023 02:52 AM

It is unclear what is being asked.  What is the relationship between the field you tabled ("user") and all the lookup tables?  And the relationship with "field_stats_wanted"?  Most importantly, why is inputlookup even considered?  If you wonder, appending multiple inputlookups is rarely the correct approach.  It usually means that the problem is not clearly understood.

So, explain the use case without SPL first.  Is "user" is the only field of interest from raw events?  What is the desired results?  What are in those lookup tables?  Why are there so many different tables? Are there inherent relationships between those tables?  What is the logic between "user", these tables, and desired results?  Try not make volunteers read your mind.

0 Karma
Reply
Solved! Jump to solution
Solution

DanWilkinson
Engager
‎11-06-2023 03:30 PM

Thank you for the response. I did manage to figure out my issue. First was the use of the multiple lookups, when I created the first lookup, I used sort, that limited my results to > 5000, and I needed < 30k. I fixed that, creating the Inputlookup ACResults.csv without the sort value that was limiting my results. (inputlookup was from Active Directory).

 

Then used the following search:

  index=Myindex host=xx.xx.xx.xx "AAA user accounting Successful"

  | dedup user

 

Then used lookup for where the user field values matched the field cn from my lookup:

  | lookup ACResults.csv cn as user

 

Final result of my new search:

index=Myindex host=xx.xx.xx.xx "AAA user accounting Successful"

| dedup user

| lookup ACResults.csv cn as user

| eval Sector=extensionAttribute14

| stats count by Sector

| sort -count

 

Answering your questions:

-What is the relationship between the field you tabled ("user") and all the lookup tables? -user = cn from active directory

-And the relationship with "field_stats_wanted"? -extensionAttribute14 for that user (cn) from Active Directory

- Most importantly, why is inputlookup even considered? -all my inputlookups had the same fields, so appending would make it easier to search, (I thought), I was wrong.

-It usually means that the problem is not clearly understood. - that was true, but I learned.

 

I hope this helps for future users. Thank you all the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top